I want to give a user the right to update a document. But ONLY if the user updates one specific field of this document. All other fields shouldn't be changed by this user.
Is this possible in firestore?
I tried something like this:
function isUpdateToOpenField(attr) {
return attr == get(/databases/$(database)/documents/stores/$(store)).data.open;
}
allow update: if isUpdateToOpenField(request.resource.data);
But I don't know how to compare if the update corresponds to the right field.
Map diffs in the Rules language were introduced to solve this:
function isUpdateToOpenField() {
return request.resource.data.diff(resource.data).affectedKeys().hasOnly(['open']);
}
allow update: if isUpdateToOpenField();
attr to the function but never use itrequest.resource.data :)
Update: Instead of writeFields, you can now use Map.diff()
Check out the writeFields variable for security rules:
allow update: if ((request.writeFields.size() == 1) && ('open' in request.writeFields));
&& ('foo.bar' in request.writeFields) works as expected.You can use :
allow update: if request.resource.data.diff(resource.data).affectedKeys().hasOnly(["fieldToBeUpdated"]);
OR
allow update: if request.resource.data.diff(resource.data).affectedKeys() == ["fieldToBeUpdated"].toSet;
You can replace affectedKeys() with addedKeys() , removedKeys() or changedKeys() depending upon your use case.
affectedKeys() as the name suggests is equivalent to using all the three together.
For more details please read the docs here https://firebase.google.com/docs/reference/rules/rules.MapDiff
Since writeFields is deprecated and should not be used, you will have to examine request.resource.data. However, it always contains all of the fields of the written document (it's final state). This means that you will have to compare all of the fields of the written document to the fields of the original document in resource.data in order to make sure that only the ones that changed are the ones that you allow to be changed.
Currently this requires an explicit check for every field that could possibly be written, which is not fun to implement. The Firebase team is looking into ways of making this sort of rule easier to express by allowing you to diff the data maps of the "before" and "after" documents.
Since request.resource.data will show the future object after the write - the only way is to check every field using the following:
function notUpdating(field) {
return !(field in request.resource.data)
|| resource.data[field] == request.resource.data[field]
}
allow update: if notUpdating('title') && notUpdating('description')
Make sure you validate that the user doesn't update all of the fields except the field you want him to have access to
the same answer of "Scott Crossen" with little change, to be more genric
function isUpdateToOpenField(attr) {
return request.resource.data.diff(resource.data).affectedKeys().hasOnly([attr]);
}
allow update: if isUpdateToOpenField('open');