使用对另一个文档的引用的Firestore安全规则 [英] Firestore security rule using reference to another document
问题描述
我试图将安全规则基于对另一个对象的引用.
I am trying to base a security rule on a reference to another object.
我有一个用户集合和一个角色集合.用户对象具有一个称为角色"的字段,该字段是对角色集合中特定文档的引用.
I have a collection of users and collection of roles. A user object has a field called "role" that is a reference to a particular document in the roles collection.
users
id
name
role <-- reference to particular role
roles
id
name
isSuperUser
这里的目标是允许具有特定角色(具有isSuperUser == true的角色)的用户编辑任何其他角色或其子集合;
The goal here is to allow a user with a particular role (the role with isSuperUser == true) to edit any other role or it's sub-collections;
这是我本以为会有效的规则:
Here are my rules that I would have thought would have worked:
service cloud.firestore {
match /databases/{database}/documents {
match /users/{userId=**} {
allow read, write: if request.auth.uid == userId;
}
match /roles/{roleId=**} {
function isSuperUser() {
return get(/databases/$(database)/documents/users/$(request.auth.uid)).data.role.isSuperuser == true;
}
allow read: if request.auth.uid != null;
allow write: if isSuperUser();
}
}
我已经确认了以下作品,但这并不是真的有用...
I have confirmed the following works, but it's not really that useful...
get(/databases/$(database)/documents/users/$(request.auth.uid)).data.role != null;
如果有更好的方法来实现基于角色的安全性,那么我会耳目一新.
If there is a better way to accomplish role base security, I am all ears.
缺少任何调试工具,这使它很沮丧.
The lack of any debugging tools makes this quite frustrating.
推荐答案
我知道距最初的问题已经有一段时间了,但是我遇到了类似的问题,希望对您或其他人有帮助.
I know it's been a while since the original question but I've had a similar issue and I hope this could help you or others.
您的条件是:
get(/databases/$(database)/documents/users/$(request.auth.uid)).data.role.isSuperuser == true;
Your condition is:
get(/databases/$(database)/documents/users/$(request.auth.uid)).data.role.isSuperuser == true;
但是role
是参考,(显然)意味着您也需要get
.试试这个:
But role
is a reference, which (apparently) means you need to get
it as well. Try this:
get(get(/databases/$(database)/documents/users/$(request.auth.uid)).data.role).data.isSuperuser == true;
get(get(/databases/$(database)/documents/users/$(request.auth.uid)).data.role).data.isSuperuser == true;
这篇关于使用对另一个文档的引用的Firestore安全规则的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!