将Firestore安全规则移至自定义功能中断规则 [英] Moving Firestore security rule to custom function breaks rule

问题描述

我有一个Firestore安全规则，该规则检查用户是否具有访问其他文档的正确代码.

I have a Firestore security rule that check that an user has the proper code to access another document.

service cloud.firestore {
  match /databases/{database}/documents {
    match /Orgs/{orgID} {
      allow read: if get(/databases/$(database)/documents/Users/$(request.auth.uid)).data.OrgCode == resource.data.Code;
    }
  }
}

这很好.但是，如果我尝试将此检查移入自定义函数中，例如:

This works great. However, if I try to move this check into a custom function like so:

service cloud.firestore {
  match /databases/{database}/documents {
    match /Orgs/{orgID} {
      allow read: if isPartOfOrg();
    }
  }
}
function isPartOfOrg(){
  return get(/databases/$(database)/documents/Users/$(request.auth.uid)).data.OrgCode == resource.data.Code;
}

然后我开始出现权限错误.除了将逻辑移到函数中外，我什么也没做，为什么这不起作用?

Then I start to get permission errors. I haven't done anything but move the logic into a function, why is this not working?

推荐答案

我在写问题时就知道了. 文档说，函数可以访问变量和函数来自定义它们的范围，而不是来自调用它们的地方.

I figured it out while writing the question. The docs say that functions have access to variables and functions from the scope in which they are defined and not from where they are called.

因此，将函数按原样移动到match块中，一切便会再次正常工作！

So, move the function into the match block as so, and everything works again!

service cloud.firestore {
  match /databases/{database}/documents {
    match /Orgs/{orgID} {
      function isPartOfOrg(){
        return get(/databases/$(database)/documents/Users/$(request.auth.uid)).data.OrgCode == resource.data.Code;
      }
      allow read: if isPartOfOrg();
    }
  }
}

希望这对遇到此问题的其他人有所帮助！

Hope this helps others who run into this issue!

这篇关于将Firestore安全规则移至自定义功能中断规则的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！