公共和私有领域的Firestore安全规则 [英] Firestore security rules for public and private fields

问题描述

关于Firebase实时数据库的安全规则，可以使用以下规则将公共数据和私有数据都存在于同一树中.

As for security rules of Firebase Realtime Database, both public and private data can exist in the same tree using such as the following rule.

但是，在使用Firestore时，似乎无法使我们执行相同的操作，因为我们可以检索的数据仅在收集或文档下. 如果在同一文档中定义了公共数据和私有数据，并且使用集合/文档获取数据，那么如果我们不是所有者，则会收到与私有数据权限不足的错误.

However, when using Firestore, it doesn't seem to enable us to do the same because the chuck of data we can retrieve is only under collection or document. When public and private data is defined in the same document and getting data w/ collection/document, we'd get error of insufficient permissions as for private data if we are not the owner.

使用RTDB时，由于我们对收集/文档一无所知，因此可以获取'users/{userId}/publicInfo'的数据.

When using RTDB, we can get data of 'users/{userId}/publicInfo' because we don't have any idea of collection/document.

有什么方法可以通过Firestore来完成RTDB吗?否则，我们应该分别收集公共/​​私人收藏吗?

Are there any way to do this of RTDB with Firestore? Otherwise, we should have public/private collection separately?

// rule of Firebase Realtime Database
"users": {
   "$user_id": {
       ".read": "auth.uid === $user_id",
       ".write": "auth.uid === $user_id",

       "private": {
          ".read": "auth.uid === $user_id"   // --- private data
       }

       "public": {
          ".read": "auth !== null";           // --- public data 
       }
   }
}

// Firestore
service cloud.firestore {
  match /databases/{database}/documents {
    match /users/{userId} {

      match /{private=**} {
        allow read, write: if request.auth == userId;
      }

      match /{public=**} {
        allow read, write: if request.auth != null;
      }
    }
  }
}

推荐答案

因此，对于文档的不同部分，您不能具有单独的安全规则.您可以阅读整个文档，也可以不阅读.

So you can't have separate security rules for separate parts of a document. You can either read the entire document, or you can't.

也就是说，如果您想为userID文档提供一个公共"和私有"子集合，其中包含公共和私有文档，那是您完全可以做的，只是不以您当前设置的方式进行您的安全规则.

That said, if you wanted to give your userID document a "public" and "private" subcollection that contained documents that were public and private, that's something you can totally do, just not in the way you've currently set up your security rules.

您编写的match /{private=**}位并不表示匹配任何称为'private'的子集合".这意味着，无论如何都匹配任何子集合，然后将其分配给名为private的变量".文档的"与通配符进行递归匹配"部分介绍了此内容更详细.

The match /{private=**} bit as you've written it doesn't mean, "Match any subcollection that's called 'private'". It means, "Match any subcollection, no matter what, and then assign it to a variable called private". The "Recursive matching with wildcards" section of the docs covers this in more detail.

此外，您需要引用request.auth.uid以获得用户的ID.

Also, you need to reference request.auth.uid to get the user's ID.

因此，您可能想要更多类似这样的东西:

So, you probably want something more like this:

// Firestore
service cloud.firestore {
  match /databases/{database}/documents {
    match /users/{userId} {
      // You'll probably want to add security rules around the user document 
      // itself. For now, though, let's look at our subcollections:

      match /private/{anything=**} {
        // Only the user can read documents in their private collection
        allow read, write: if request.auth.uid == userId;
      }

      match /public/{anything=**} {
        // Anybody can read documents here, as long as they're signed in
        allow read, write: if request.auth != null;
      }
    }
  }
}

这篇关于公共和私有领域的Firestore安全规则的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！