Firebase: How to prevent writing a specific field in firestore?

Question

The ruleset protects the user's entry like follows:

only him or an admin can read his data
only an admin can update a user's permissions
a user can update all his data, unless he sets the permissions object

The rule looks like:

match /users/{userId} {
  allow read: if isCurrentUser(userId) || isAdmin();
  allow write: if (isCurrentUser(userId) && !isModifyingPermissions()) || isAdmin();

  function isModifyingPermissions(){
    return request.resource.data['permissions'] != null;
  }
}

I'm stuck with the isModifiyingPermissions() function. It properly refuses a write in case the request has a value for the permissions property. However, the rule crashes if no permissions property is provided, stating the following:

Error: simulator.rules line [19], column [15]. Property permissions is undefined on object.

How can one write "check presence of a property on request resource" ?

Jem · Answer 1 · 2018-08-09T14:36:45.633

3

Ok, here's the solution:

  function isModifyingPermissions(){
    return request.resource.data.keys().hasAny(["permissions"]);
  }

edited Aug 09 '18 at 14:36

answered Aug 09 '18 at 14:31

Jem

6,226
14
56
74

2

note to self: search some more before asking the question :-) The following helped: https://stackoverflow.com/questions/48176704/firestore-security-rules-how-can-i-check-that-a-field-is-isnt-being-modified?rq=1 – Jem Aug 09 '18 at 14:32

Firebase: How to prevent writing a specific field in firestore?

1 Answers1