Firestore安全性

本文介绍了Firestore安全性-仅允许已知字段的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！ 问题描述

我不知道如何在Firestore中正确设置".validate"规则. 基本上，我希望允许用户文档仅包含我知道的字段: :

I can’t figure out how to properly set the ‘.validate’ rule in Firestore. Basically, I want to allow a User document to contain only the fields I know:

user { name: "John" phone: "2342222" address: "5th Avenue" }

除了上面的3个字段(姓名，电话，地址)之外，我不希望其他任何字段.

I dont want any other fields besides the 3 above (name, phone, address).

不会同时保存字段. 姓名和电话将首先保存，而地址仅在用户要编辑其个人资料时保存.

The fields WON’T be saved at the same time. name and phone will be saved first, and address will be saved only when user wants to edit his profile.

我尝试了以下规则，但似乎不起作用:

I've tried the rules below but don’t seem to work:

allow read: if request.auth.uid == uid; allow write: if request.auth.uid == uid && request.resource.data.keys() in ["name", "phone", "address"]

感谢您的帮助.

推荐答案

您可以将规则分开，以包含不同的create和update(以及delete)逻辑:

You can separate your rules to include different create and update (as well as delete) logic:

// allows for creation with name and phone fields allow create: if request.resource.data.size() == 2 && request.resource.data.hasAll(['name', 'phone']) && request.resource.data.name is string && request.resource.data.phone is string; // allows a single update adding the address field // OR (||) in additional constraints allow update: if request.resource.data.size() == resource.data.size() + 1 && !('address' in resource.data) && request.resource.data.address is string;