基于请求查询值的 Firestore 安全规则 [英] Firestore security rules based on request query value
问题描述
我正在尝试保护对集合的请求,以允许任何单个 get
,但仅在匹配特定键时才允许 list
.
I'm trying to secure requests to a collection to allow any single get
, but only to allow list
if a specific key is matched.
数据库结构是这样的:
projects
project1
name: "Project 1 name"
board_id: "board1"
project2
name: "Project 2 name"
board_id: "board2"
boards
board1
board2
我从 Vue 进行的 Firestore 查询:
The Firestore query I'm making from Vue:
// Only return projects matching the requested board_id
db
.collection("projects")
.where("board_id", "==", this.board_id)
我想要的安全规则是这样的:
The security rules I'd like to have would be something like this:
match /projects/{project} {
allow get: if true // this works
allow list: if resource.data.board_id == [** the board_id in the query **]
// OR
allow list: if [** the board_id in the query **] != null
我想这样做是为了让您可以列出特定板中的项目,但不能只列出所有内容.
I want to do this so you can list the projects in a specific board, but can't just list everything.
有没有办法在安全规则中访问请求的 .where()
或者我是否需要将我的 projects
集合嵌套在我的 boards中代码>收集并以这种方式保护它?
Is there a way to access the requested .where()
in the security rules or do I need to nest my projects
collection inside my boards
collection and secure it that way?
推荐答案
这实际上取决于您将来希望如何查询数据.如果您不需要列出所有项目(与板无关),那么您当前的数据模型会更好,并且可以通过将允许的板添加为地图 {board_id: true}
或(理想情况下)/users 文档的子集合.
It really depends on how you want to query data in the future. If you have no requirement to list all of the projects (irrespective of the board), then your current data model is better and can be secured by adding the allowed boards as a map {board_id: true}
or (ideally) sub-collection to the /users document.
/projects/{project_id}
/boards/{board_id}
/users/{uid}/boardPermissions/{board_id}
安全规则
match /projects/{project} {
allow list: if exists(/databases/$(database)/documents/users/$(request.auth.uid)/boardPermissions/${resource.data.board_id})
替代数据模型
如果您想对数据进行完全分区(这是我在许多项目中倾向于做的事情),请创建以下模型
Alternative data model
If you want to totally partition your data (which is what I tend to do for many of my projects), then create the following model
/boards/{board_id}/projects/{project_id}
/users/{uid}/boardPermissions/{board_id}
安全规则
match /boards/{board_id}/projects/{project_id} {
allow list: if exists(/databases/$(database)/documents/users/$(request.auth.uid)/boardPermissions/${board_id})
这篇关于基于请求查询值的 Firestore 安全规则的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!