I have a Firebase document (actually, may documents need the same thing) where, due to security reasons I only allow updates from backend code (aka, Firebase functions). I still want connected clients to be able to read this data and in some cases update the data but only limited fields.
My current solution is below, basically verify that the value in the document isn't being changes in the request. Yes, this works but I feel this is problemmatic because it's easy to forget to update the rules when adding a new field and since I haven't found any really good tools to edit rules it's fairly tedious.
This is an example of what I'm doing now:
allow update:
if request.auth != null &&
request.auth.uid == resource.data.firebaseUID &&
resource.data.pendingDelete == false &&
// Some values are protected
resource.data.creditBalance == request.resource.data.creditBalance &&
resource.data.creditLimit == request.resource.data.creditLimit &&
resource.data.firebaseUID == request.resource.data.firebaseUID &&
resource.data.mostRecentTermsOfService == request.resource.data.mostRecentTermsOfService &&
resource.data.mostRecentTermsOfServiceAccepted == request.resource.data.mostRecentTermsOfServiceAccepted &&
resource.data.mostRecentTermsOfServiceAcceptedOn == request.resource.data.mostRecentTermsOfServiceAcceptedOn &&
resource.data.promotionCreditBalance == request.resource.data.promotionCreditBalance &&
resource.data.promotionCreditsExpiration == request.resource.data.promotionCreditsExpiration &&
resource.data.registeredOn == request.resource.data.registeredOn &&
resource.data.testRecord == request.resource.data.testRecord &&
resource.data.userOwnedCompanyID == request.resource.data.userOwnedCompanyID;
This gets especially ugly when I mix in user roles. It would be great if there was some way to say only X value can be changed, is that even possible?
I had thought about using a many of these:
!("creditLimit" in request.resource.data)
But that appears to not work (PERMISSION_DENIED) but it isn't much better as it appears I would still need to individually list all values I don't want clients to update
I've looked around a few articles but most appear to be relatively limited and most appear to expect that clients can change almost any value, for example:
