When a user signs up and they initialise their data in firestore, I want to validate that they aren't attempting to set their role (i.e. so they're not setting it to 'admin' for example).
I tried to write this:
match /users/{userId} {
  allow create: if (signedInAs(userId) && !request.resource.data.role) || isAdmin();
  ...
...but I just see "Property role is undefined on object."
Is there a way to do this safely? Or does this mean I should always be initialising expected fields, even if it's just to the empty string? That doesn't seem to quite fit with the philosophy of NoSQL?
Cloud Firestore Security Rules allow you to control access to documents and collections in your database. The flexible rules syntax allows you to create rules that match anything, from all writes to the entire database to operations on a specific document.
Collections and documents are created implicitly in Cloud Firestore. Simply assign data to a document within a collection. If either the collection or document does not exist, Cloud Firestore creates it.
To be honest, without Firebase Authentication, it's not possible to accept writes to a database without Authentication and also avoid abuse, since anyone could write anything from anywhere on the internet.
Use the in operator to find out if a property of an object doesn't exist.
!("role" in request.resource.data)
This yields a boolean. See it in the rules API docs for the Map type.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With