问题
I want users to be able to create a message (with contact form), but not allow them to read or update. I am adding a new contact as follows:
app.firestore().collection("messages").add({
name: this.state.name,
subject: this.state.subject,
message: this.state.message});
With the following security rules this is allowed:
match /messages/{message}{
allow read, delete: if request.auth.uid=="<SOME_ID>";
allow create: if true;
}
But when I add an update rule like below, I get an unsufficient permission error when adding a new message.
match /messages/{message}{
allow read, delete, update: if request.auth.uid=="<SOME_ID>";
allow create: if true;
}
If I move the update rule below the create, this still doesn't work. But have tried, to set update to "always allow/true" after which the add action works again.
It therefore seems that Firestore somehow looks at the strictest rule out of the update and create rules, but only if the rule for update is explicitly defined. Am I doing something wrong here?
Edit:
match /messages/{message}{
allow read, delete: if request.auth.uid=="<SOME_ID>";
allow create: if true; allow update: if false }
Does not lead to permission issues.. So the behaviour seems specific to the type of check I am doing here..
回答1:
For those who run in to a similar issue in the future. The issue was, that the request did not contain an auth property. For some reason Firebase was checking the condition for the update case, and was testing:
request.auth.uid=="<SOME_ID>"
In the back this must have led to a: "trying to read property uid of null" error and crashed.
function isAdmin() {
return request.auth != null
&& request.auth.uid=="<SOME_ID>";
}
....
allow update: if isAdmin();
Solves it
来源:https://stackoverflow.com/questions/52193559/firestore-update-rule-intervenes-with-create