基于请求查询值的Firestore安全规则 [英] Firestore security rules based on request query value

问题描述

我正在尝试保护对集合的请求，以允许任何单个get，但仅在匹配特定键的情况下才允许list.

I'm trying to secure requests to a collection to allow any single get, but only to allow list if a specific key is matched.

数据库结构如下:

projects
  project1
    name: "Project 1 name"
    board_id: "board1"
  project2
    name: "Project 2 name"
    board_id: "board2"

boards
  board1
  board2

我从Vue进行的Firestore查询:

The Firestore query I'm making from Vue:

// Only return projects matching the requested board_id

db
  .collection("projects")
  .where("board_id", "==", this.board_id)

我想要的安全规则如下:

The security rules I'd like to have would be something like this:

match /projects/{project} {
  allow get: if true // this works
  allow list: if resource.data.board_id == [** the board_id in the query **]

  // OR

  allow list: if [** the board_id in the query **] != null

我想这样做，以便您可以在特定的板上列出项目，但不能只列出所有内容.

I want to do this so you can list the projects in a specific board, but can't just list everything.

是否有一种方法可以访问安全规则中所请求的.where()，还是需要将我的projects集合嵌套在我的boards集合中并以这种方式保护它?

Is there a way to access the requested .where() in the security rules or do I need to nest my projects collection inside my boards collection and secure it that way?

推荐答案

这实际上取决于您将来如何查询数据.如果您不需要列出所有项目(与开发板无关)，那么您当前的数据模型会更好，并且可以通过将允许的开发板作为映射{board_id: true}或(理想情况下)子集合添加到/中来保护它.用户文档.

It really depends on how you want to query data in the future. If you have no requirement to list all of the projects (irrespective of the board), then your current data model is better and can be secured by adding the allowed boards as a map {board_id: true} or (ideally) sub-collection to the /users document.

/projects/{project_id}
/boards/{board_id}
/users/{uid}/boardPermissions/{board_id}

安全规则

match /projects/{project} {
  allow list: if exists(/databases/$(database)/documents/users/$(request.auth.uid)/boardPermissions/${resource.data.board_id})

替代数据模型

如果您想对数据进行完全分区(这是我在许多项目中经常要做的事情)，请创建以下模型

Alternative data model

If you want to totally partition your data (which is what I tend to do for many of my projects), then create the following model

/boards/{board_id}/projects/{project_id}
/users/{uid}/boardPermissions/{board_id}

安全规则

match /boards/{board_id}/projects/{project_id} {
  allow list: if exists(/databases/$(database)/documents/users/$(request.auth.uid)/boardPermissions/${board_id})

这篇关于基于请求查询值的Firestore安全规则的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！