了解Cloud Firestore安全规则的限制 [英] Understanding the limits of Cloud Firestore's security rules
问题描述
我正在为我的Firestore数据库编写安全规则,以至于我可能写了太多检查,并且授权自动失败.
I'm writing the security rules for my Firestore database, and I got to the point where I'm probably writing too many checks and the authorization automatically fails.
例如,特定路径的规则是
For example the rules for a specific path are
service cloud.firestore {
match /databases/{database}/documents {
match /pending/{userId} {
match /rate/{vendorId}/events/{eventId}/ratings/{rateId} {
allow write: if request.auth.uid == userId
&& exists(/databases/$(database)/documents/vendors/$(vendorId)) // The vendor must exist
&& exists(/databases/$(database)/documents/users/$(userId)/subscriptions/$(vendorId)) // The user must be subscribed to the vendor
&& exists(/databases/$(database)/documents/vendors/$(vendorId)/events/$(eventId)) // The event must exist
&& !exists(/databases/$(database)/documents/vendors/$(vendorId)/events/$(eventId)/ratings/$(userId)) // The user must not have already voted for the event
}
}
}
}
这些规则在写入/pending/{userId}/rate/{vendorId}/events/{eventId}/ratings/{rateId}
These rules apply when writing to /pending/{userId}/rate/{vendorId}/events/{eventId}/ratings/{rateId}
删除一个或多个规则可以使所有内容重新运行. 我在文档中阅读了有关10个开发人员定义的函数的限制,此处,但存在和获取列为服务定义的内容,因此不应计入.即使他们在这里,我在这里也只用五个.
Removing one or a combination of rules makes everything work again. I read on the documentation about a limit of 10 developer-defined functions here, but exists and get are listed as service-defined and should not be counted. Even if they were, here I'm only using five.
有没有更有效的方法来检查相同的字段?如何计算单行达到10个功能限制的数量?
Is there a more efficient way to check the same fields? How do I calculate how much a single line counts into reaching the 10 functions limit?
谢谢
推荐答案
Firebase PM:当前,我们将给定规则评估中的get()和exists()调用次数限制为三个,这就是为什么在添加第四个之后看到该行为失败.我将确保对文档进行适当的更新以包含此信息.
Firebase PM here: Currently, we limit the number of get() and exists() calls in a given rule evaluation to three, which is why you're seeing the behavior fail after adding the fourth. I'll make sure the docs are appropriately updated to include this info.
EDIT (4/2/18): These limits are now documented: https://firebase.google.com/docs/firestore/security/rules-structure#security_rule_limits
EDIT (5/14/18): We increased the limit to 10: https://firebase.google.com/docs/firestore/security/rules-structure#security_rule_limits
get()和exists()调用在计算上比常规"规则评估更加昂贵,并且我们希望确保评估时间的严格限制,以免减慢传入请求的速度.我很确定我们可以将数字增加到大于三,但是请注意,我们将查找所有这些键/值,并且评估每个请求可能需要更长的时间/更多的成本.
get() and exists() calls are more computationally expensive than "normal" rule evaluations, and we want to ensure a tight bound on evaluation time, so as to not slow down incoming requests. I'm pretty sure we can increase the number greater than three, but be aware that we'll look up all of these keys/values and it may take a little longer/cost a little more to evaluate each request.
请注意,在这种特定情况下,您可以通过三个呼叫来做到这一点:
Note that in this specific case, you're able to do this with three calls:
service cloud.firestore {
match /databases/{database}/documents {
match /pending/{userId} {
match /rate/{vendorId}/events/{eventId}/ratings/{rateId} {
// Only allow a document to be created
allow create:
// The user must not have already voted for the event
if request.auth.uid == userId
&& request.auth.uid == rateId
// The vendor must exist
&& exists(/databases/$(database)/documents/vendors/$(vendorId))
// The user must be subscribed to the vendor
&& exists(/databases/$(database)/documents/users/$(userId)/subscriptions/$(vendorId))
// The event must exist
&& exists(/databases/$(database)/documents/vendors/$(vendorId)/events/$(eventId));
// Not necessary unless you want to allow updates
allow update: if ...;
}
}
}
}
这篇关于了解Cloud Firestore安全规则的限制的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
