问题
I have notification records where there is a text and a list of users (max 10).
{text: "Beware of the dog", users: [ uid1, uid2, uid3, ... ]}
When a user read/acknowledge the notification, I want to remove him from the list of users who can see the notification (then he won't get any anymore).
For that, when the user press the "hide notification button", he send a request to update the notification record with:
users: FieldValue.arrayRemove(uid)
I want to enfore with security rules that the user:
- Doesn't change other part of the notification record.
- Send its uid and only its uid in the arrayRemove part.
Tried with
allow update: if
request.auth.uid != null
&& request.auth.uid in resource.data.users
&& request.resource.size() == 1
&& request.resource.data.users != null;
- The request.resource.size == 1 doesn't work. Can't figure out why as I have only one field in my request.
- I have no way to ensure the arrayRemove is strictly limited to its uid.
Any hint, help, idea well appreciated.
回答1:
I don't think this is possible without a loop, which doesn't exist in security rules. Well: if you know all users, you might be able to enumerate all options, essentially unfolding the impossible loop. But even if this is possible in security rules, the rules are going to be incredibly verbose.
I'd recommend creating a subcollection where each UID is stored in a separate document. In that subcollection you can then implement your requirement by only allowing the user to only delete their own document.
来源:https://stackoverflow.com/questions/54764457/firebase-security-rules-ensure-one-array-remove-only-and-only-to-userid