Firestore:使用安全规则限制子级/字段访问 [英] Firestore: restricting child/field access with security rules

问题描述

如果我正确理解[1]，在Firebase中，将无法限制用户对他们拥有的数据的访问，也无法隐藏敏感列.在新发布的Firestore中，这更好吗?有解决方法吗?

If I understand correctly [1], in Firebase there is no way to restrict user's access to data they own, nor a way to hide sensitive columns. Is this better in the newly released Firestore? Does it have workarounds?

我想到的一种替代方法是通过Cloud Function路由此类请求，以便根据需要进行过滤，而不是允许直接访问.可能行得通吗?

One alternative I could think of would be to route such requests through a Cloud Function so as to filter as required, instead of allowing direct access. Might that work?

[1] 使用安全规则限制子/域访问

推荐答案

Firestore(和Firebase)并没有真正区分谁拥有"数据.您可以制定规则来实施所有权政策，但是没有内在因素迫使这种情况发生.

Firestore (and Firebase) don't really make distinctions about who "owns" data. You can craft rules to implement ownership polices but there's nothing intrinsic that forces this to be the case.

在Firestore中，规则适用于整个文档，因此您无法隐藏敏感列.一种典型的解决方案是在一个文档中包含公共字段，而在第二个文档中包含私有字段.然后，您可以编写规则以对不同的文档实施不同的访问权限.

In Firestore rules apply to whole documents so you cannot hide sensitive columns. A typical solution is to have public fields in one document and private fields in a second. You can then write rules to enforce different access to the separate documents.

在编写多个这样的文档时，您有一些选择.一种方法是将整个记录写入私有部分，并具有一个函数过滤器并写入公共部分.这样做的缺点是，在编写私有部分和看到更新的公共部分之间会有一定的延迟.

When writing multiple documents like this, you have a few options. One way is to write the entirety of the record into private half and have a function filter that and write the public part. The downside of this is that there is a delay between when you write the private part and when you can see the updated public part.

另一种方法是使用写批处理以原子方式写入两个文档.与需要您联机的全面交易不同，可以在脱机时使用批量写入，并且适合在需要对两个或多个文档进行原子更改但又不希望其他任何写入竞争的情况下使用.用户更新自己的配置文件将是写批处理效果很好的一个很好的例子.

Another approach is to use write batches to write to both documents in an atomic manner. Unlike full blown transactions, which require you to be online, write batches can be used while offline, and are appropriate where you need to make an atomic change to two or more documents but you don't expect any other writes to contend. A user updating their own profile would be a great example of a case where write batches work very well.

这篇关于Firestore:使用安全规则限制子级/字段访问的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！