如何防止用户编辑自己个人资料的一些Firestore字段？

发布于 2025-02-02 11:51:23 字数 129 浏览 5 评论 0 原文

所有Firestore

因此，如果我的应用程序允许用户编辑其配置文件文档的某些字段，那么我如何使用规则锁定仅应用程序才能编辑的其他字段？

还是我误解了为什么有必要进行弗雷斯特尔规则，如果是这样，您能解释一下吗？谢谢

原文

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

孤独难免 2025-02-09 11:51:23

我如何使用规则封锁其他字段
应用程序应该能够编辑？

您的问题实际上可以应用于您希望最终用户能够仅修改文档字段的任何firestore文档。

有一个特定的

使用 hasany（）
然后否定结果，您可以拒绝任何客户请求
尝试更改您不想更改的字段。

并显示以下示例：

service cloud.firestore {
  match /databases/{database}/documents {
    match /restaurant/{restId} {
      // Allow the client to update a document only if that document doesn't
      // change the average_score or rating_count fields
      allow update: if (!request.resource.data.diff(resource.data).affectedKeys()
        .hasAny(['average_score', 'rating_count']));
    }
  }
}

允许用户“更新有关餐厅的信息，但不更改其平均得分或评论数”。

How can I use the rules to lockdown the other fields that only the
application should be able to edit?

You question can actually apply to any Firestore document for which you want an end-user to be able to modify only a subset of the document's fields.

There is a specific section in the documentation, which is titled "Preventing some fields from being changed" and which indicates that:

By using the hasAny() method on the set generated by affectedKeys()
and then negating the result, you can reject any client request that
attempts to change fields that you don't want changed.

and which shows the following example:

service cloud.firestore {
  match /databases/{database}/documents {
    match /restaurant/{restId} {
      // Allow the client to update a document only if that document doesn't
      // change the average_score or rating_count fields
      allow update: if (!request.resource.data.diff(resource.data).affectedKeys()
        .hasAny(['average_score', 'rating_count']));
    }
  }
}

which allows users "to update information about a restaurant but not change their average score or number of reviews."

回复收藏 0 原文

毁梦 2025-02-09 11:51:23

[按照下面的评论进行编辑]
如果您查看文档：

他们指定以下内容：

通过在由Adgetedkeys（）＆GT生成的集合上使用Hasany（）方法；然后否定结果，您可以拒绝任何尝试更改您不想更改字段的客户请求。

例如，您可能需要允许客户更新有关餐厅的信息，但不要更改其平均得分或评论数量。

service cloud.firestore {
  match /databases/{database}/documents {
    match /restaurant/{restId} {
      // Allow the client to update a document only if that document doesn't
      // change the average_score or rating_count fields
      allow update: if (!request.resource.data.diff(resource.data).affectedKeys()
        .hasAny(['average_score', 'rating_count']));
    }
  }
}

反向逻辑在：

[Editing following the comment below]
If you look at the documentation:
https://firebase.google.com/docs/firestore/security/rules-fields#preventing_some_fields_from_being_changed

they specify the following:

By using the hasAny() method on the set generated by affectedKeys() > and then negating the result, you can reject any client request that attempts to change fields that you don't want changed.

For instance, you might want to allow clients to update information about a restaurant but not change their average score or number of reviews.

service cloud.firestore {
  match /databases/{database}/documents {
    match /restaurant/{restId} {
      // Allow the client to update a document only if that document doesn't
      // change the average_score or rating_count fields
      allow update: if (!request.resource.data.diff(resource.data).affectedKeys()
        .hasAny(['average_score', 'rating_count']));
    }
  }
}

reverse logic is in:
https://firebase.google.com/docs/firestore/security/rules-fields#allowing_only_certain_fields_to_be_changed

回复收藏 0 原文

~没有更多了~