我可以限制Firestore数据库中的某些字段仅由Firebase管理员获取吗? [英] Can I restrict certain fields in firestore database to be only fetched by firebase admin?
问题描述
我在firestore中有一个用户集合,其中存储了一些我不想透露给用户的有关用户的信息(例如会话ID).所以我的问题是,是否有可能仅允许Firebase管理员提取文档的某些字段,并且如果任何用户通过身份验证,则可以提取其余字段? Firebase安全规则是否可能?
I have a users collection in firestore, which stores some information about the user which I don't want to disclose to the user (e.g. session id). So my question is, is it possible to only allow firebase admin to fetch some fields of a doc and rest of the fields can be fetched if any user is authenticated? Is it possible with firebase security rules?
推荐答案
As you have noted, Firestore security rules "only allow security up to the document level".
类似地,使用客户端SDK,获取文档时,您将获得该文档的整个字段集.
Similarly, with the Client SDKs, when you fetch a document, you get the entire set of fields of this document.
(在撰写本文时),只有Firestore REST API允许应用将文档上的操作更新为其字段的子集".请注意,这不是对字段级别的读写访问权限的限制(即,它没有实现/模仿安全规则),但这只是减小文件大小的一种方法.传递给API或从API接收的有效负载.
(At the time of writing) Only the Firestore REST API allows to apply a DocumentMask which "restrict a get or update operation on a document to a subset of its fields". Note that this is not a limitation on the read and write access right at the level of the field (i.e. it does not implement/mimic a security rule), it is just a way to reduce the size of the payload passed to/received from the API.
因此,话虽如此,一种解决方案是复制您的数据并拥有两个不同的集合:
So, having said that, one solution is to duplicate your data and have two different collections:
- 一个包含文档的集合,该文档包含所有字段,并且只有管理员用户才能看到(受一组特定的安全规则保护).
- 一个包含文档的集合,该文档仅包含任何经过身份验证的用户可以获取的字段(受另一组安全规则保护,例如
allow read: if request.auth.uid != null;).
要链接"文档的两个版本,请在每个集合中使用相同的文档ID.
To "link" the two versions of a document, you use the same document id in each collection.
此方法的一个副作用是您需要使文档保持同步.如果修改了其中一个集合中的文档,则可以通过触发Cloud Function来完成此同步.由于文档的两个版本共享相同的文档ID,所以它不是很复杂.
One side effect of this approach is that you need to keep the docs in sync. This synchronization could be done with a Cloud Function triggered if a doc in one of the collections is modified. Since two versions of a document share the same doc id, it is not very complex.
这篇关于我可以限制Firestore数据库中的某些字段仅由Firebase管理员获取吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
