使用对另一个文档的引用的Firestore安全规则 [英] Firestore security rule using reference to another document

问题描述

我试图将安全规则基于对另一个对象的引用.

I am trying to base a security rule on a reference to another object.

我有一个用户集合和一个角色集合.用户对象具有一个称为角色"的字段，该字段是对角色集合中特定文档的引用.

I have a collection of users and collection of roles. A user object has a field called "role" that is a reference to a particular document in the roles collection.

users
  id
  name
  role <-- reference to particular role

roles
  id
  name
  isSuperUser

这里的目标是允许具有特定角色(具有isSuperUser == true的角色)的用户编辑任何其他角色或其子集合；

The goal here is to allow a user with a particular role (the role with isSuperUser == true) to edit any other role or it's sub-collections;

这是我本以为会有效的规则:

Here are my rules that I would have thought would have worked:

service cloud.firestore {
   match /databases/{database}/documents {
    match /users/{userId=**} {
     allow read, write: if request.auth.uid == userId;
   }
   match /roles/{roleId=**} {
      function isSuperUser() {
       return get(/databases/$(database)/documents/users/$(request.auth.uid)).data.role.isSuperuser == true;
      }
      allow read: if request.auth.uid != null;
      allow write: if isSuperUser();
   }
}

我已经确认了以下作品，但这并不是真的有用...

I have confirmed the following works, but it's not really that useful...

get(/databases/$(database)/documents/users/$(request.auth.uid)).data.role != null;

如果有更好的方法来实现基于角色的安全性，那么我会耳目一新.

If there is a better way to accomplish role base security, I am all ears.

缺少任何调试工具，这使它很沮丧.

The lack of any debugging tools makes this quite frustrating.

推荐答案

我知道距最初的问题已经有一段时间了，但是我遇到了类似的问题，希望对您或其他人有帮助.

I know it's been a while since the original question but I've had a similar issue and I hope this could help you or others.

您的条件是: get(/databases/$(database)/documents/users/$(request.auth.uid)).data.role.isSuperuser == true;

Your condition is: get(/databases/$(database)/documents/users/$(request.auth.uid)).data.role.isSuperuser == true;

但是role是参考，(显然)意味着您也需要get.试试这个:

But role is a reference, which (apparently) means you need to get it as well. Try this:

get(get(/databases/$(database)/documents/users/$(request.auth.uid)).data.role).data.isSuperuser == true;

get(get(/databases/$(database)/documents/users/$(request.auth.uid)).data.role).data.isSuperuser == true;

这篇关于使用对另一个文档的引用的Firestore安全规则的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！