Firestore Security Rules allow specific field only

Question

I am trying to implement security rule to limit users to access only specific fields inside a document. My data structure goes like this:

document {
  name: John,
  dob: 1994,
  email: john@hotmail.com
}

I want to limit the name field to read, write by owner; dob field to read by owner, create by owner; email to read by owner, update by owner

I read the documentation, and it seems that I can only control access of a specific document with security rules. It didn't mention anything to allow access to a specific field. What I should do in order to allow access to specific fields inside a document?

score 4 · Accepted Answer · answered Jul 14 '20 at 21:19

4

Security rules can't be used to limit access to individual fields in a document. If a user has direct read access to a document, they can always read every field in the document.

Your only alternatives here are:

Split the restricted fields into a document in another collection, and protect that collection differently.
Reject direct access to the collection entirely, and force users through an API endpoint that strips out the restricted fields based on the user's identity, which was passed to the endpoint.

answered Jul 14 '20 at 21:19

Doug Stevenson

297,357
32
422
441

Thanks @Doug Stevenson, is there a documentation on how to do 2. specifically? – Chen Jul 14 '20 at 23:28
You'll have to decide what you want to use as your backend. There is definitely not just one way to achieve this. – Doug Stevenson Jul 14 '20 at 23:49
do you mean that I sent a request to the backend, and use Admin configured with my service account to allow user to update the fields I am not restricting? – Chen Jul 15 '20 at 13:47
Sure, you can do it that way. – Doug Stevenson Jul 15 '20 at 15:50
Is there any plan in the future to support restriction to field level? Thanks – Bitwise DEVS Oct 11 '22 at 03:17

Firestore Security Rules allow specific field only

1 Answers1

Linked

Related