Cloud Firestore安全规则-文档中的单个受保护字段 [英] Cloud Firestore security rules - single protected field in a document

问题描述

我想在user文档中有一个名为suspendedProfile的只读属性，而所有其他属性都具有当前登录用户的读/写访问权限.有没有一种简单的安全规则可以做到这一点?

I'd like to have a read-only property called suspendedProfile in a user document with all the other properties with read/write access for currently logged in user. Is there a way to do it with a simple security rule?

我考虑了2种解决方案:

I thought about 2 solutions:

1. 禁止写入修改属性，例如allow write: if request.resource.data.suspendedProfile == null;
2. user文档中带有allow read;的/secure集合

1. disallow writes that modify the property like allow write: if request.resource.data.suspendedProfile == null;
2. a /secure collection with allow read; inside the user document

我认为第一种选择最好是将所有与用户相关的属性都放在一个文档中，但是我很想听听您的想法.还有其他更简单的方法来实现这一目标吗?

I think the first option is better all the user-related properties are in a single docment, but I'd love to hear your thoughts. Is there any other simpler way to achieve this?

推荐答案

我想自己设法找到了自己的答案的解决方案

I think I managed to find a solution for my own answer using Firebase documentation.

// A user can update a product reviews, but they can't change
// the headline.
// Also, they should only be able up update their own product review,
// and they still have to list themselves as an author
allow update: if request.resource.data.headline == resource.data.headline
                    && resource.data.authorID == request.auth.userID
                    && request.resource.data.authorID == request.auth.userID;

因此，就我而言，我只会allow update: if request.resource.data.suspendedProfile == resource.data.suspendedProfile

So in my case, I will just allow update: if request.resource.data.suspendedProfile == resource.data.suspendedProfile

这篇关于Cloud Firestore安全规则-文档中的单个受保护字段的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！