Firebase Firestore-基于"where"的安全规则查询参数 [英] Firebase Firestore - security rule based on "where" query parameters

问题描述

我正在尝试保护对集合的请求，以允许任何单个 get ，但仅在匹配特定键的情况下才允许 list .

I'm trying to secure requests to a collection to allow any single get, but to allow list only if a specific key is matched.

数据库结构如下:

posts
  post1
    content: "Post 1 content"
    uid: "uid1"
  post2
    content: "Post 2 content"
    uid: "uid1"
  post3
    content: "Post 3 content"
    uid: "uid2"

我从Vue进行的Firestore查询:

The Firestore query I'm making from Vue:

// Only return posts matching the requested uid

db
  .collection("posts")
  .where("uid", "==", this.uid)

我想要的安全规则如下:

The security rules I'd like to have would be something like this:

match /posts/{post} {
  allow get: if true // this works
  allow list: if [** the uid in the query **] != null

我想这样做，以便在知道特定用户的 uid 的情况下可以列出特定用户的帖子，但不能列出系统的所有 posts .

I want to do this so you can list the posts of a specific user if you know their uid but can't list all posts of the system.

是否可以在安全规则中访问请求的 .where()，或者在这种情况下如何编写这样的规则或构造数据?

Is there a way to access the requested .where() in the security rules or how can I write such rule or structure my data in this case?

相关&学分:

• 貌似，我可以对查询的 limit ， offset 和 orderBy 发出请求.但是 where 上没有任何内容.请参阅:#1 &#2 .

• Seemingly, I can make a request on a query's limit, offset, and orderBy. But there's nothing on where. See: #1 & #2.

我从此问题中复制粘贴了很多内容.我看不到被接受的答案如何回答问题.似乎可以回答允许用户 list 其他用户的帖子的另一种情况.那不是我的情况.就我而言，什么是公共就是公共.因此，它似乎无法回答我的主要问题.

I copy-pasted much from this question. I don't see how the accepted answer answers the question. It seems like it answers another case where a user is allowed to list some other users' posts. That is not my case; in my case, what's public is public. So, it doesn't answer the main question in my case, it seems.

推荐答案

当前无法使用安全规则来检查查询中是否使用了字段.您唯一可以做的就是仅使用您允许的值来验证文档字段是否已用作过滤器.

There's currently no way, using security rules, to check if a field is being used in query. The only thing you can do is verify that a document field is being used as a filter using only values you allow.

相反，请考虑将足够的数据复制到这样组织的另一个集合中:

Instead, consider duplicating enough data into another collection organized like this:

user-posts      (collection)
  {uid}         (document using UID as document ID)
     posts      (subcollection)
       {postId} (documents using post ID as document ID)

这将要求客户端调出一个UID进行查询，以获取与该用户相关联的所有帖子.您可以根据需要存储尽可能多的有关过帐文档的信息，以便满足查询的需要.

This will require the client to call out a UID to query in order to get all the posts associated with that user. You can store as much information about the post documents as you like, for the purpose of satisfying the query.

类似的复制数据在NoSQL数据库中很常见.如果您不希望用户在任何给定时刻查询所有帖子，则甚至可以将其设置为新的默认结构.请注意，收藏组查询将其命名为帖子"子集合仍将在所有用户的所有帖子中查询，因此您必须

Duplicating data like this is common in NoSQL databases. You might even want to make this your new default structure if you don't want your users to query across all posts at any given moment. Note that a collection group query naming the "posts" subcollection would still query across all posts for all users, so you'd have to make sure your security rules are set up so that this is enabled only when you allow it to happen.

还请注意，通常不会向用户隐藏UID，尤其是如果您的网站本质上是协作的，并且您将多个用户的数据合并到一个页面上时.

Also note that UIDs are typically not hidden from users, especially if your web site is collaborative in nature, and you combine multiple users' data on a single page.

这篇关于Firebase Firestore-基于"where"的安全规则查询参数的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！