Firestore Security Rules is allowing updates without an update rule
It's possible I'm not understanding proper use of firestore sdk set() method. My understanding is that if a document id does not exist it will perform a "create". If it does it will perform an "update" to the existing document and overwrite unless merge=True is included. That's not what I'm seeing however.
I have the following firestore db structure:
Investment (collection)
News (subcollection)
These are my current rules:
rules_version = '2';
service cloud.firestore {
function isUpdateToActivityField() {
return request.resource.data.diff(resource.data).affectedKeys().hasOnly(['activity']);
}
match /databases/{database}/documents {
match /Investment/{iid} {
allow read: if request.auth != null;
allow update: if request.auth != null && isUpdateToActivityField();
allow create: if request.auth != null;
match /News/{nid} {
allow read: if request.auth != null;
allow create: if request.auth != null;
}
}
}
}
If I manually modify fields in news items and then perform an update it will overwrite my records reverting the text.
This is how I'm using the set() method.
product_ref = client.collection("Investment").document(self.symbol)
batch = client.batch()
for n in news:
ndict = n.to_dict()
new_news_ref = product_ref.collection("News").document(ndict.pop("uuid"))
batch.set(new_news_ref, ndict, merge=True)
batch.commit()
My goal is just to have the rules prevent a create or update if the record is already there without having to check in code. I've even tried changing the create rule to:
allow create: if request.auth != null && !exists(/databases/$(database)/documents/Investment/$(iid)/News/$(nid))
No luck however.
Am I going about this incorrectly?
The Python SDK for Cloud Firestore is considered a server-side SDK, which means it bypasses the security rules you set for the project. From the documentation:
Server client libraries create a privileged Firebase environment with full access to your database. In this environment, requests are not evaluated against your Firebase security rules. Privileged Firebase servers are secured using Identity and Access Management (IAM), see Security for server client libraries.
You should only use server-side SDKs in trusted environments, where you can ensure the code accessing the project is code that you control.
To enforce the security rules, use client-side SDKs for Firestore which are available for Web, Android, iOS, C++, Unity, and Flutter.
- How to tackle time limit exceeded error in leetcode
- Python requests is slow and takes very long to complete HTTP or HTTPS request
- Iterating over two lists one after another
- Python -i flag for production
- list() vs iterable unpacking in Python 3.5+
- How to resolve "cannot import name '_MissingValues' from 'sklearn.utils._param_validation'" issue when trying to import imblearn?
- Collatz Loop Structure
- Hide axis label only, not entire axis, in Pandas plot
- How can I validate a date in Python 3.x?
- How to render a pdf file as pdf in browser using django
- Polars pivot + unpivot operation with multiple values (pandas stack / unstack alternative / UDF over)
- Selenium gives "selenium.common.exceptions.WebDriverException: Message: unknown error: cannot find Chrome binary" on Mac
- Finding the source code of methods implemented in C?
- What is the behaviour of xarray when multiplying data arrays?
- Proper use of ctypes to call _Py_Mangle?
- How do I install PIL/Pillow for Python 3.6?
- Python loop on list
- Where to locate virtual environment installed using poetry | Where to find poetry installed virtual environment
- String-based enum in Python
- How do I get .nbt file to save properly with a new nbtlib.tag.File object?
- Hackerrank doesn't accept my code. Why?
- How to install PYODBC in Databricks
- How Can I Find the Range of a Function in Sympy
- how to set proxy with authentication in selenium chromedriver python?
- What's the polars equivalent to the pandas `.iloc` method?
- How to pass Desired Capabilities to Undetected Chromedriver with Selenium Python?
- ajax not passing data to view in Django
- Problem with pip install mariadb - mariadb_config not found
- Why do imaginary number calculations behave differently for exponents up to 100 and above 100?
- ClassifierChain with Random Forest: Why is np.nan not supported even though Base Estimator handles it?