I am trying to make a security rules that allow creating/updating basic values like 'gender' and 'unit', while also allowing to create extra values like 'extras' - yet blocking update to a specific value like 'src'. So basically a user can manipulate gender and unit cannot touch 'src', yet if he wants he can create extras.
my current logic is like this is very strict to only the allow certain fields can be manipulated, and it blocks the manipulation of src yet cannot create 'extras' just need to tweak it to allow the creating of other fields yet keeping the src filed immutable.
&& request.resource.data.diff(resource.data)
.affectedKeys()
.hasOnly(['gender','unit'])
If you want to allow the user to modify all keys, except for src that'd be:
!src in request.resource.data.diff(resource.data).affectedKeys()
If there's multiple fields, it's probably easier to use a single hasAny:
!request.resource.data.diff(resource.data)
.affectedKeys()
.hasAny(['src','otherprotectedfield'])