1. 技术文章
  2. Firestore read rules with self condition

Firestore read rules with self condition

假如想象 提交于 2020-01-10 08:31:39

问题


I'm currently trying to build small app on firebase as an evaluation of it. It looks interesting and super productive, but I have one problem with firestore rules.

I have one collection (games) with objects looking like this:

{
    "name":String,
    "description":String,
    "owners": 
    {
        "uid": String
        "uid2": String
    }
}

And rules set like this:

service cloud.firestore {
    match /databases/{database}/documents {
        match /games {
            match /{game} {
                allow write: if request.auth != null && request.resource.data.owners[request.auth.uid] == 'ADMIN';
                allow update: if request.auth != null && resource.data.owners[request.auth.uid] == 'ADMIN';
                allow read: if request.auth != null && resource.data.owners[request.auth.uid] == 'ADMIN';
            }
        }
    }
}

While write, update work fine. Read only works for single documents. When I try to read a collection I get access error as if user did not have right to it. The part that makes it not work is 

resource.data.owners[request.auth.uid] == 'ADMIN'.

Adding a where("owners."+auth.uid,"==", 'ADMIN') to collection query does not help either.

What am I doing wrong here? Is there a suggested approach in firebase firestore for similar scenario?

EDIT: I tried adding 'get' and 'list' rules like this:

allow list: if request.auth != null;

allow get: if request.auth != null && resource.data.owners[request.auth.uid] == 'ADMIN';

It didn't work as expected. I expected it to allow me to list documents with where but if there is a document that I could not get I expected to get "Missing or insufficient permissions." What I was able to do was to list ALL documents but not read some of them directly (get rule works when trying to fetch single document but not when listing them from a collection).

EDIT 2: Looks like according to @MikeMcDonald my expectation was correct, but it is currently bugged. Waiting for the fix.

EDIT 3: It is now working fine with rules to get and list set in this way:

allow get, list: if request.auth != null && resource.data.owners[request.auth.uid] == 'ADMIN';


回答1:


I think create and update works because they are part of write and condition 1 covers it.



来源:https://stackoverflow.com/questions/46667912/firestore-read-rules-with-self-condition

标签
firebase
firebase-security
google-cloud-firestore
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!