保护多个用户的数据 Firestore [英] Securing data for multiple users Firestore
问题描述
我如何为 Firestore 设置规则,以通过以下方式限制仅某些用户对某些集合文档/集合的访问:
How could I set rules for Firestore to restrict access only for some users to certain collections documents/collection in the following manner:
//base collection
clients:{
//document
client-1-store:{
users-allowed:[
"user-1-id",
"user-2-id",
"user-3-id",
"user-4-id",
]
}
}
问题是,如果当前登录用户的 id 设置在用户允许的每个数组中,我只想允许读取和写入client-1-store"文档及其文档和子集合store",但我不知道我该怎么做...
The thing is I'd like to only allow reading and writing to the "client-1-store" document and its documents and sub collections if the current logged in user's id is set inside the users-allowed array of each "store", but I have no idea of how i could do that...
推荐答案
不是创建一组用户 ID,而是创建一个 值映射
Instead of creating an array of user IDs, create a map of values
//base collection
clients:{
//document
client-1-store:{
users-allowed:{
"user-1-id": true,
"user-2-id": true,
"user-3-id": true,
"user-4-id": true,
}
}
}
match /clients/{storeId=**} {
allow read: if get(/databases/$(database)/documents/clients/$(storeId).data.users-allowed.$(request.auth.uid)) == true;
}
然而,这并没有像 allowedUsers 子集合那样扩展,每个用户 ID 都保存为一个文档.然后,您可以改用 exists
条件.这还允许您进一步细化用户文档以获得详细的 CRUD 权限.
However, this doesn't scale as well as having an allowedUsers sub-collection, with each user ID saved as a document. You can then use the exists
condition, instead. This also allows you to add further granularity to the user's document for detailed CRUD permissions.
这篇关于保护多个用户的数据 Firestore的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!