match /my-data/{userId}
{
allow write: if "name" in request.resource.data;
}
This above validates if name is in the data. But it also allows any other data to be written along with "name". What do I do if I only want name in the data, and if any other data is provided, then deny write operation?
You're looking for the List.hasOnly operation, which allows you to ensure a list has only certain members.
Something like this:
request.resource.data.keys().hasOnly("name")
If the document can already contain any fields, but only the name field is allowed to be modified, you'll want to combine hasOnly wih the map.diff() operation.
So that'd be something like this:
resource.data.diff(request.resource.data).keys().hasOnly("name")
Related
Hello, I have a problem I created a Registration form and im trying to check if there is any user which have a certain username inside the Firebase Db. I tried to get the reference of all the users.
var users = Database.database().reference("users")
But I don't know how I could check if there is any user with a specified username.
You'll want to use a query for that. Something like:
let query = users.queryOrdered(byChild: "username").equalTo("two")
Then execute the query and check whether the result snapshot exists.
Note though that you won't be able to guarantee uniqueness in this way. If multiple users perform the check at the same time, they may both end up claiming the same user name.
To guarantee a unique user name, you will need to store the user names as the key - as keys are by definition unique within their parent node. For more on this, see some of these top search results and possibly also from here.
In my HTML page I have a group of five checkboxes. Their values are 1,2,3,4,5.
In the object to which those checkboxes belong I save them as an array. So if user selects options 2,4,5 I store it as [2,4,5].
I'm stuck at the spot when I try to validate that array in Firebase rules. Is there any way of doing validation like this?
I want to make sure an array like [5,6,7] does not go through the Firestore rules but something like [1,3,4,5] does.
Array type fields in Firestore documents show up as List type objects in security rules. You can use its hasOnly method to determine if the List contains only certain elements.
request.resource.data.arrayField.hasOnly([1,2,3,4,5)
Using REST API for Salesforce, I am trying to insert/update a contact into my business org where 'MailingAddress' is one of the fields with some set data, though in response I am getting this error message 'Cannot deserialize instance of MailingAddress from VALUE_STRING', the same response also resulting in 'OtherAddress'.
To my understanding, I think this is due to the reason that 'MailingAddress' and 'OtherAddress' are not actual fields that contains some String data, rather they take a dynamic address which resulting in filling up all other related fields like - 'MailingCity, MailingStreet, etc'.
So I have 2 questions:
1. How can I set 'MailingAddress' and 'OtherAddress' fields using API parameter only?
2. Is there any manual/documentation for this reference? As I am also having trouble with 'OtherLatitude' and 'OtherLogitude' fields.
Address and geolocation fields are compound fields.
You need to provide the value for the different components of the field, so for example, for MailingAddress you would need to provide MailingStreet, MailingCity, MailingState or MailingStateCode, etc. And for OtherAddress you would provide OtherStreet, OtherCity, etc.
For more information on compound fields: https://developer.salesforce.com/docs/atlas.en-us.object_reference.meta/object_reference/compound_fields.htm
I'm trying to use Firestore rules to return only documents where the current user has some sort of rights, following the advice given in https://firebase.google.com/docs/firestore/solutions/role-based-access.
However, when I implement the rule I get the dreaded "[code=permission-denied]: Missing or insufficient permissions" error message which obviously tells me nothing, I was wondering if anyone can spot what is going wrong.
My rules:
//Specific project rules - authorised users who appear in the project list
match /documents/{document} {
function isSignedIn() {
return request.auth.uid != null;
}
function getUser(rsc) {
return rsc.data.users[request.auth.uid];
}
function isOneOfUsers(rsc, array) {
return isSignedIn() && (getUser(rsc) in array);
}
allow list: if isOneOfUsers(resource, ['user','admin']);
The data stores the users information in a field on the document (12345 in the example below. The field is of type Object which allows me to put a key (the userid, 76544 in the example below) and a value against it, such as "admin".
My data:
documents/12345/users{76544:"admin"}
Now when I log on and try to get a list of the documents, I'm expecting to see this document coming back, but I get the error. I can change the function getUser to return "user" and that works, so the problem is somewhere in the evaluation of
rsc.data.users[request.auth.uid]
I would normally accept that I'm trying something that can't be done but it is a near direct copy of the official docs so I must be missing something!
Thanks in advance for your help
Here's what I think is going on: LIST is explicitly not checking every document that it is picking up, rules are not filters etc.
When writing queries to retrieve documents, keep in mind that security
rules are not filters—queries are all or nothing. To save you time and
resources, Cloud Firestore evaluates a query against its potential
result set instead of the actual field values for all of your
documents. If a query could potentially return documents that the
client does not have permission to read, the entire request fails.
Therefore, LIST will always return the full list of /documents/, there is nothing you can write in there beyond authorisation rules that will stop it from returning all of them. If this is true, if any malicious actor gets hold of an authentication, they can download the full list of all of your /documents/.
The only sensible approach to this is to lock down any attempt to use LIST (deny all) and keep your list accessible /documents/ against an individual user instead. This seems onerous, but may be the only way of doing it.
I have two entities Properties and Bookings.
I need to know the URL structure in case I'm filtering the properties base on query on bookings.
In my case I need to get the properties which are free (not occupied) at specific date.
Can it be
api/properties/free/{date}
Or
api/properties/bookings?bookingDate!='1-1-2017'
Or
api/properties?bookingDate!='1-1-2017'
it seems for me that the last one is the more appropriate but the filter is on the bookings not on the properties which is not obvious.
The Facebook Graph API has a interesting way of doing nested queries by using a strategy of fields filter.
The fields filter it´s a way of filter specific fields or nested fields of a rouserce. They also create a standard way to inform functions for every selected field like: limit or equal.
Your request would be something like this:
GET /api/properties?fields=bookings{bookingDate.notEqual('1-1-2017')}
For more information about Facebook´s GraphAPI:
https://developers.facebook.com/docs/graph-api/overview/