firebase-security-rules

问题 In firestore security rule, the resource.data is an emtpy object always, is this a bug or something ? My firestore rules: service cloud.firestore { match /databases/{database}/documents { match /hospitals/{document=**}{ // allow read :if resource.data.size() == 0; //this return true, resource.data is an empty object allow read :if resource.data.name != null; // this doesn't work } } } My javascript: auth().onAuthStateChanged((user) => { if (user) { //db is the firestore instance db.collection

问题 I am having difficulty trying to diagnose a particular rule in my firestore.rules file. See that question here for context. Is there a way to debug the firestore.rules file and/or functions? I'm using unit testing and the emulators to test my rules, but I would really love to see exactly what values are being evaluated by the rules engine. For instance, here is my firestore.rules file: rules_version = '2'; service cloud.firestore { match /databases/{database}/documents { match /organizations/

问题 I have following character collection structure in my database (firestore) /characters/{uid} - username: string - clan: string - mana: number - health: number etc... I am trying to figure out a security rule for /characters/{uid} with following logic service cloud.firestore { match /databases/{database}/documents { // Characters match /characters/{characterID} { allow create: if isValidUsername(); } } } here function isValidUsername checks for various things like length, special characters

问题 I recently developed with the implementation of firestore and firestore security rules. Certain authenticated users can grab data if they are created by them, was one of the feature of the app. i.e, A creates X B creates Y A can't access Y and B can't access X. This is ensured using security rules. I deployed the app with cloud functions, and this acts as an api. Simulating the security rules passes without failure, but when called the api for accessing via tool like postman, A can access Y

问题 I want to write a rule like this: service cloud.firestore { match /databases/{database}/documents { match /users/{userId}/{document=**} { allow read, write: if request.auth.uid == userId; } } } That is, I want to allow all read and write operations to all of a user's data if that user is the authenticated user . Unfortunately that does not work. I get an error specifying that I don't have permission to access the data. 回答1: This code solved the problem: service cloud.firestore { match

问题 I have a data structure as following: { "users" : { "31J59dq1clZ3inHMzoopiigsEg63" : [ { "name" : "Lanchana", "timestamp" : 1516916245423, "uid" : "31J59dq1clZ3inHMzoopiigsEg63", "userEmail" : "*****@gmail.com", "total-stars" : 123 } ] } } and fire rules as following: { "rules": { "users": { "$uid": { ".read": "$uid === auth.uid && auth != null", ".write": "!data.exists() || data.child('uid').val() == auth.uid && auth != null", } } } } I can add new data successfully but I cannot make any

问题 I'm having an issue when i try to access some documents. It says i don't have permission for accessing the docuemnt. So I have the following in the Firestore rules match /reservations/reservations-request/list/{reservationInfo} { allow read: if get(/databases/$(database)/documents/reservations/reservations-request/list/$(reservationInfo)/members-id/data).data.driverId == request.auth.uid || get(/databases/$(database)/documents/reservations/reservations-request/list/$(reservationInfo)/members

问题 I think from searching the web this is not technically possible but I want to ask again in case I'm missing something. I have an app that uses Firebase. Reading and writing is locked down through security rules for authorised users only but there's certain information I want unauthorised users to be able to access (so I don't have to put a login wall in front of them, influencing churn). What I want to know is, is there any way of locking down this read access that only my app can call the DB

问题 my current firebase realtime security rules are like below { "rules": { "users": { ".read" : true, ".indexOn": ["email"], "$user_id": { ".read": true, ".write": "auth != null && $user_id === auth.uid" } } } } they translates as only the authenticated user can write the data to his own node under users/ However, we have admin users who should be able to modify the data of non admin users. The way we identify admin users are a user property isAdmin which is true for admin users. so the sample

问题 I'm trying to create a Security Rule based upon request.time as given in an example on AngularFirebase website. My function is function isThrottled() { return request.time < resource.data.lastUpdate + duration.value(1, 'm') } Where I'm trying to allow update: if isThrottled() == false However, when I try to update a document with this rule, it fails due to time being not defined on the object. Error: simulator.rules line [169], column [12]. Property time is undefined on object. Shouldn't