Firestore规则来自其他集合的条件 [英] Firestore rule on condition from a different collection
问题描述
我有一个带有两个集合的Firestore数据库:用户和锦标赛.用户具有参与者"角色和管理员"角色,并在用户文档中由"isParticipant"和"isAdmin"布尔值表示:
/users/{userId}:isParticipant:trueisAdmin:是 我为这些集合设置了访问规则,如下所示:
service cloud.firestore {匹配/databases/{database}/documents {匹配/users/{userId} {允许创建,读取;允许更新:如果request.auth.uid == userId;}匹配/tournaments/{tournamentId} {允许创建,读取,更新:if request.auth.uid!= null;}}} 但是,我真正想做的是将比赛的创建限制为具有管理员"角色的用户.我已经在代码中进行了此操作,但是我想使用db规则来提高安全性,以防止管理员用户以外的任何人创建锦标赛.
有没有办法在规则语法中引用不同集合的数据元素?像这样:
匹配/tournaments/{tournamentId} {允许创建:如果resources.users.userId.isAdmin == true;} ?
谢谢.
您可以使用 get 函数访问其他集合中的数据:
//如果用户文档中包含城市名称,则允许用户删除城市//'admin'字段设置为'true'允许删除:如果get(/databases/$(database)/documents/users/$(request.auth.uid)).data.admin == true
有关此详情,请参见访问其他文档在Firebase文档中,这是我从上面获得示例的地方.
要注意的一件事是,这需要阅读其他文档.如果您将用户是其个人资料管理员 作为自定义声明存储的事实,则可以从 request.auth 访问它,而无需额外阅读.例如
允许删除:如果request.auth.token.admin == true 有关更多信息,请参见使用自定义声明控制访问权限和在文档中访问用户令牌.
I have a Firestore db with two collections: users and tournaments. The users have a 'participant' role and an 'admin' role and are indicated by 'isParticipant' and 'isAdmin' booleans in the user document:
/users/{userId}:
isParticipant: true
isAdmin: true
I have access rules set up for these collections like so:
service cloud.firestore {
match /databases/{database}/documents {
match /users/{userId} {
allow create, read;
allow update: if request.auth.uid == userId;
}
match /tournaments/{tournamentId} {
allow create, read, update: if request.auth.uid != null;
}
}
}
However, what I really want to do is restrict the creation of a tournament to a user that is of an 'admin' role. I am already doing this in code, but would like the added security of a db rule to prevent anyone but an admin user from creating a tournament.
Is there a way to reference the data element of a different collection within the rules syntax? Something like:
match /tournaments/{tournamentId} {
allow create: if resources.users.userId.isAdmin == true;
}
?
Thanks in advance.
You can access the data in a different collection by using the get function:
// Allow the user to delete cities if their user document has the // 'admin' field set to 'true' allow delete: if get(/databases/$(database)/documents/users/$(request.auth.uid)).data.admin == true
For more information on this, see access other documents in the Firebase documentation, which is where I got the above example from.
One thing to note is that this requires an additional document read. If you'd store the fact that a user is an admin inside their profile as a custom claim, you could access it from request.auth without needing an extra read. E.g.
allow delete: if request.auth.token.admin == true
For more on this, see control access with custom claims and accessing the user token in the documentation.
这篇关于Firestore规则来自其他集合的条件的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
