preventing to create firestore users with other fields than userLastConnection

fcamblor · fcamblor · commit 560593dbcc59 · 2024-10-29T11:59:31.000+01:00
diff --git a/cloud/firestore/firestore.default.rules b/cloud/firestore/firestore.default.rules
@@ -11,6 +11,13 @@ service cloud.firestore {
         && resource.data != null
         && resource.data.diff(request.resource.data).affectedKeys().hasOnly(allowedFieldNames)
     }
+    function onlyAllowedCreatedFields(allowedFieldNames) {
+      return allowedFieldNames != null
+        && request != null
+        && request.resource != null
+        && request.resource.data != null
+        && request.resource.data.diff({}).affectedKeys().hasOnly(allowedFieldNames)
+    }
 
     // By default, prevent reads & writes on any node
     match /{document=**} {
@@ -169,7 +176,8 @@ service cloud.firestore {
 
     match /users/{userId} {
       allow list, delete: if false;
-    	allow get, create: if iAm(userId);
+    	allow get: if iAm(userId);
+    	allow create: if iAm(userId) && onlyAllowedCreatedFields(["userLastConnection"]);
     	allow update: if iAm(userId) && onlyAllowedUpdatedFields(["userLastConnection"]);
 
       match /preferences/self {
diff --git a/cloud/firestore/firestore.default.rules.spec.ts b/cloud/firestore/firestore.default.rules.spec.ts
@@ -744,8 +744,9 @@ const COLLECTIONS: CollectionDescriptor[] = [{
     tests: (userContext: UserContext) => {
         ensureCollectionFollowAccessPermissions('/users/{userId}', userContext,
           {
-            list: false, createNew: false, delete: false, update: false,
-            get: userContext.name === 'fred user', createDoc: userContext.name === 'fred user'
+            list: false, delete: false,
+            get: userContext.name === 'fred user',
+            createDoc: 'check-skipped', createNew: 'check-skipped', update: 'check-skipped' // see below for specificities due to userLastConnection field
           }, 'fred')
 
         ensureCollectionFollowAccessPermissions('/users/{userId}', userContext,
@@ -755,27 +756,71 @@ const COLLECTIONS: CollectionDescriptor[] = [{
           }, 'alice')
 
         if(userContext.name === 'fred user') {
-          it(`As ${userContext.name}, I should be able to only UPDATE userLastConnection field in my user's infos`, async () => {
+          it(`As ${userContext.name}, I should be able to only CREATE userLastConnection field in *my user's* infos`, async () => {
+            await assertSucceeds(setDoc(doc(userContext.context().firestore(),
+              findManagedCollection('/users/{userId}').docInitializations.find(docInit => docInit.name === 'fred')!.path
+            ), { userLastConnection: new Date().toISOString() }))
+          })
+          it(`As ${userContext.name}, I should *NOT* be able to only CREATE userLastConnection field in *another user's* infos`, async () => {
+            await assertFails(setDoc(doc(userContext.context().firestore(),
+              findManagedCollection('/users/{userId}').docInitializations.find(docInit => docInit.name === 'alice')!.path
+            ), { userLastConnection: new Date().toISOString() }))
+          })
+
+          it(`As ${userContext.name}, I should *NOT* be able to CREATE other fields than userLastConnection field in *my user's* infos`, async () => {
+            await assertSucceeds(setDoc(doc(userContext.context().firestore(),
+              findManagedCollection('/users/{userId}').docInitializations.find(docInit => docInit.name === 'fred')!.path
+            ), { userLastConnection: new Date().toISOString(), additionalField: "foo", }))
+          })
+          it(`As ${userContext.name}, I should *NOT* be able to CREATE other fields than userLastConnection field in *another user's* infos`, async () => {
+            await assertFails(setDoc(doc(userContext.context().firestore(),
+              findManagedCollection('/users/{userId}').docInitializations.find(docInit => docInit.name === 'alice')!.path
+            ), { userLastConnection: new Date().toISOString(), additionalField: "foo", }))
+          })
+
+          it(`As ${userContext.name}, I should be able to only UPDATE userLastConnection field in *my user's* infos`, async () => {
             await assertSucceeds(updateDoc(doc(userContext.context().firestore(),
               findManagedCollection('/users/{userId}').docInitializations.find(docInit => docInit.name === 'fred')!.path
             ), { userLastConnection: new Date().toISOString() }))
           })
-          it(`As ${userContext.name}, I should be able to only UPDATE userLastConnection field in my user's infos`, async () => {
+          it(`As ${userContext.name}, I should *NOT* be able to only UPDATE userLastConnection field in *another user's* infos`, async () => {
             await assertFails(updateDoc(doc(userContext.context().firestore(),
               findManagedCollection('/users/{userId}').docInitializations.find(docInit => docInit.name === 'alice')!.path
             ), { userLastConnection: new Date().toISOString() }))
           })
-        } else {
-          it(`As ${userContext.name}, I should be able to only UPDATE userLastConnection field in my user's infos`, async () => {
+
+          it(`As ${userContext.name}, I should *NOT* be able to UPDATE other fields than userLastConnection in *my user's* infos`, async () => {
             await assertFails(updateDoc(doc(userContext.context().firestore(),
               findManagedCollection('/users/{userId}').docInitializations.find(docInit => docInit.name === 'fred')!.path
-            ), { userLastConnection: new Date().toISOString() }))
+            ), { userLastConnection: new Date().toISOString(), additionalField: "foo", }))
           })
-          it(`As ${userContext.name}, I should be able to only UPDATE userLastConnection field in my user's infos`, async () => {
+          it(`As ${userContext.name}, I should *NOT* be able to UPDATE other fields than userLastConnection in *another user's* infos`, async () => {
             await assertFails(updateDoc(doc(userContext.context().firestore(),
               findManagedCollection('/users/{userId}').docInitializations.find(docInit => docInit.name === 'alice')!.path
+            ), { userLastConnection: new Date().toISOString(), additionalField: "foo", }))
+          })
+        } else {
+          it(`As ${userContext.name}, I should *NOT* be able to only CREATE userLastConnection field in *another user's* infos`, async () => {
+            await assertFails(setDoc(doc(userContext.context().firestore(),
+              findManagedCollection('/users/{userId}').docInitializations.find(docInit => docInit.name === 'fred')!.path
+            ), { userLastConnection: new Date().toISOString() }))
+          })
+          it(`As ${userContext.name}, I should *NOT* be able to CREATE other fields than userLastConnection in *another user's* infos`, async () => {
+            await assertFails(setDoc(doc(userContext.context().firestore(),
+              findManagedCollection('/users/{userId}').docInitializations.find(docInit => docInit.name === 'fred')!.path
+            ), { userLastConnection: new Date().toISOString(), additionalField: "foo", }))
+          })
+
+          it(`As ${userContext.name}, I should *NOT* be able to only UPDATE userLastConnection field in *another user's* infos`, async () => {
+            await assertFails(updateDoc(doc(userContext.context().firestore(),
+              findManagedCollection('/users/{userId}').docInitializations.find(docInit => docInit.name === 'fred')!.path
             ), { userLastConnection: new Date().toISOString() }))
           })
+          it(`As ${userContext.name}, I should *NOT* be able to UPDATE other fields than userLastConnection in *another user's* infos`, async () => {
+            await assertFails(updateDoc(doc(userContext.context().firestore(),
+              findManagedCollection('/users/{userId}').docInitializations.find(docInit => docInit.name === 'fred')!.path
+            ), { userLastConnection: new Date().toISOString(), additionalField: "foo", }))
+          })
         }
     }
 }, {
