Google firebase's firestore rules block key creation/edits

2
votes

I have the following firestore rule to allow user access to only their record. It works fine...

service cloud.firestore {
  match /databases/{database}/documents {
    match /users/{userId} {
      allow read, update, delete: if request.auth.uid == userId;
      allow create: if request.auth.uid != null;
    }    
  }
}

Now under the users collection, each document contains a field/key name "isAuthenticated" which is set to true from the server side backend using service account persmission.

How can I setup the rules to make sure even the authenticated user cannot update that particular key?

1
firebasegoogle-cloud-firestorefirebase-security
why track isAuthenticated in your database for each user? - Ronnie Royston

1 Answers

2
votes

To disallow all regular users from creating documents:

allow create: if false;

But note that someone accessing the database with the Admin SDK will still be able to create documents, since they access it with administrative privileges.

**Update*: to prevent the user from updating any fields:

allow update: if false;

To disallow updating a specific field:

allow update: if !("isAuthenticated" in request.writeFields);

See: