Firestore安全规则:在hasAny()列表方法中使用get() [英] Firestore security rules: get() use in hasAny() list method
问题描述
我想知道是否可以使用此安全规则:
I was wondering if this security rule would be possible:
function productForUser() {
return resource.data.products.hasAny(get(/databases/$(database)/documents/Users/$(request.auth.uid)).data.products);
}
当我尝试在Firebase网站上的测试平台中对其进行测试时,它成功了.但是,当我尝试使用Javascript运行该查询时,由于缺少权限或权限不足"而导致读取被拒绝:
When I try to test it in the testing plaground on the Firebase website, it is sucessful. However, when I try to run it with Javascript, with this query, I get the read denied, with "missing or insufficient permissions":
query.where("products", "array-contains", productId);
我可以确认用户拥有一系列产品,其中包含要在查询中查找的特定产品.
I can confirm that the user has the array of products, containg the specific product that is being looked up in the query.
谢谢.
推荐答案
您的规则在控制台模拟器中有效,因为该模拟器仅支持单个文档的"get"类型请求.它不适用于查询,因为安全规则不是过滤器.该规则不会针对集合中的每个文档进行评估,因为对于非常大的集合而言,这根本无法很好地扩展.要指定查询条件,您将需要提供确切的值以从客户端进行检查-您将无法使用get()查找其他值.
Your rule works in the console simulator because the simulator only supports "get" type requests for a single document. It doesn't work for queries because security rules are not filters. The rule will not be evaluated for each and every document in the collection, as that would not scale well at all for very large collections. To specify conditions for queries, you will need to provide exact values to check from the client - you will not be able to use a get() to find other values.
If you want to test queries before publishing your rules, you should not be using the simulator, and instead use the local emulator to test code that actually performs a query.
这篇关于Firestore安全规则:在hasAny()列表方法中使用get()的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
