配置Firestore安全规则，以允许用户仅有效地访问自己的数据 [英] Configure the firestore security rules to allow users to only access their own data - efficiently

问题描述

在firestore中使用angularfire2 rc 2.

Using firestore with angularfire2 rc 2.

在没有有效的安全规则的情况下，所有开发工作都很好.

All is working very nicely in development with no effective security rules.

这些是没有安全性的规则-客户端代码将在$COLLECTION_NAME/document下创建，更新和删除集合，而不会出现问题.

These are the no security rules - where the client code will create, update and delete collections below the $COLLECTION_NAME/document without issue.

service cloud.firestore {
    match /databases/{database}/documents {
        match /collectionA/{userId=**} { 
            allow read, write: if true;
        }
        match /collectionB/{userId=**}  {
            allow read, write: if true;
        }
        match /collectionC/{userId=**}  {
            allow read, write: if true;
        }
        match /collectionD/{userId=**}  {
            allow read, write: if true;
        }
    }
}

我要去的地方是只允许用户访问自己的数据.

Where I want to get to is to only allow users to access their own data.

我首先遵循以下规则:

service cloud.firestore {
    match /databases/{database}/documents {
        match /collectionA/{userId=**} { 
            allow read, write: if request.auth.uid == userId;
        }
        match /collectionB/{userId=**}  {
            allow read, write: if request.auth.uid == userId;
        }
        match /collectionC/{userId=**}  {
            allow read, write: if request.auth.uid == userId;
        }
        match /collectionD/{userId=**}  {
            allow read, write: if request.auth.uid == userId;
        }
    }
}

但是，一旦我添加了任何限制规则，包括仅验证请求，都将得到授权.

However, as soon as I add any sort of restrictive rule including even just validating the request is authorised.

match /databases/{database}/documents {
    match /collectionA/{userId=**} { 
       allow read, write: if request.auth;
    }
    match /collectionB/{userId=**}  {
        allow read, write: if request.auth;
    }
    match /collectionC/{userId=**}  {
        allow read, write: if request.auth;
    }
    match /collectionD/{userId=**}  {
         allow read, write: if request.auth;
    }
}

我收到代码许可错误.

[code = permission-denied]:缺少权限或权限不足.

[code=permission-denied]: Missing or insufficient permissions.

FirebaseError:缺少权限或权限不足.

FirebaseError: Missing or insufficient permissions.

每个{userId}文档都包含一个集合，该集合又包含文档，因此完整路径可能类似于

Each {userId} document contains a collection which in turn contains documents so a full path might be something like

const entryCollection: AngularFirestoreCollection<Entry> = this.angularfirestore.collection('collectionC/' + user.uid + '/records' + '/2017-40' + '/entries');

应该对请求进行身份验证，因为只有在使用Firebase身份验证进行身份验证之后，才在客户端中授予访问权限.记录表明该uid存在，并且确实在创建collectionA或B或C或D下的文档时，使用uid命名了user.uid文档.

The requests should be authenticated as the access is only granted in the client following authentication using firebase authentication. Logging indicates the uid is present and indeed when creating the document below collectionA or B or C or D the user.uid document is named using the uid.

推荐答案

简短的答案是{userId=**}导致userId是path而不是string.这意味着将其与request.auth.uid(字符串)进行比较将失败.取而代之的是，您可能想要以下内容:

The short answer is that {userId=**} results in userId being a path and not a string. This means that comparing it to request.auth.uid (which is a string) will fail. Instead, you'll likely want something like:

service cloud.firestore {
    match /databases/{database}/documents {
        match /collectionA/{userId}/{allSubcollections=**} { 
            allow read, write: if request.auth.uid == userId;
        }
    }
}

这将确保userId是字符串，然后匹配适当的子集合(请注意，再次allSubcollections将是path).

This will guarantee that userId is a string, and then match the appropriate subcollections (note that again, allSubcollections will be a path).

这篇关于配置Firestore安全规则，以允许用户仅有效地访问自己的数据的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！