Firestore Security Rules: Prevent Modification of Certain Fields

Enforce initialization of approval_status = 0 and admin_remark = null during document creation.

Ensure approval_status and admin_remark value cannot be modified (must be same as existing value)

match /item/{item_id} {
  function validCreate() {
    // fields must be initialized as such
    return == 0 && == null;

  function validUpdate() {
    // prevent user change these fields
    return == && ==;

  allow read: if true;
  // allow get: if true;
  // allow list: if true;

  allow create: if validCreate();
  allow update: if validUpdate();
  allow delete: if false;

In pratical usage, you probably limit modification for user, but allow admin to perform modification.

allow create: if (isUser() && validCreate()) || isAdmin();
allow update: if (isUser() && validUpdate()) || isAdmin();

NOTE: Refer firestore security rules and firestore check is admin security rules.

❤️ Is this article helpful?

Buy me a coffee ☕ or support my work via PayPal to keep this space 🖖 and ad-free.

Do send some 💖 to @d_luaz or share this article.

✨ By Desmond Lua

A dream boy who enjoys making apps, travelling and making youtube videos. Follow me on @d_luaz

👶 Apps I built

Travelopy - discover travel places in Malaysia, Singapore, Taiwan, Japan.