Firestore身份验证规则以测试列表中的参考值 [英] Firestore auth rule to test reference value in list

问题描述

我正在尝试创建一个Firestore身份验证规则，以根据团队文档中的团队成员列表检查当前用户.成员存储为文档引用，所以我一直在尝试这样的事情:

I'm trying to create a Firestore auth rule that checks the current user against a list of team members in a team document. The members are stored as document references so I've been trying things like this:

match /teams/{document=**} {
    allow read: if path("/users/" + request.auth.uid) in resource.data.members;
}

但是当我尝试访问团队文档时，我被告知Auth失败.

But when I try and access the team document I get told there is an Auth failure.

每个团队成员都使用UID作为密钥在/users中拥有自己的文档.因此，用户可能是/users/12345678，并且team文档可能具有:

Each team member has their own document in /users using their UID as a key. So a user might be /users/12345678 and the teams document might have:

/teams/team1 {
              members: [/users/12345678, ....]
             }

成员是引用类型.

到目前为止，由于Firestore的身份验证规则中似乎没有文档引用类型的概念，因此我无法弄清这一点.

So far I've not been able to figure this out as Firestore does not seem to have the concept of a document reference type in it's auth rules.

有什么建议吗?

推荐答案

安全规则确实具有引用的概念，并且表示为

Security rules do have a concept of a reference, and it's represented as a Path type object. When a document reference is read by security rules, you have to treat it like a Path. And that Path will be fully qualified like this:

/databases/$(database)/documents/collection/documentId

$(database)来自通常的顶级数据库通配符匹配.

Where $(database) comes from your usual top-level database wildcard match.

因此，您的规则可能是这样实现的:

So, your rule might be implemented like this:

match /teams/{document=**} {
    allow read: if /databases/$(database)/documents/collection/users/$(request.auth.uid) in resource.data.members;
}

请注意，在安全规则中，您可以简单地通过以/开头来构建路径，并使用$(foo)插值变量作为路径组成部分.

Note that in security rules, you can build a path simply by starting with a /, and use $(foo) for interpolating variables as path components.

这篇关于Firestore身份验证规则以测试列表中的参考值的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！