I have a document where each invited user has a field (their request.auth.uid), with a number value representing their access level.
I want users to be able to delete their user field from the document, but not be able to increase the level of their field.
The code to remove their own user field is simply:
documentReference.update(myUserId, FieldValue.delete());
I can delete the field fine, but I can't figure out how to write a rule to allow for this (and not other updates to the field) in Firestore Security.
I've tried rules like:
allow update: if (request.resource.data[request.auth.uid] < resource.data[request.auth.uid]);
and
allow update: if !(request.resource.data[request.auth.uid] > 0);
but they lead to errors (I'm guessing because the field no longer exists).
Something to note: the rules above will still work when I'm updating the user field value from the original value to a lower (non-delete) value, and
allow update: if request.auth.uid in request.writeFields;
still returns true when using FieldValue.delete(), so it's not an issue with the user id.
