保护多个用户的数据 Firestore [英] Securing data for multiple users Firestore

问题描述

我如何为 Firestore 设置规则，以通过以下方式限制仅某些用户对某些集合文档/集合的访问:

How could I set rules for Firestore to restrict access only for some users to certain collections documents/collection in the following manner:

//base collection
clients:{
  //document
  client-1-store:{
    users-allowed:[
      "user-1-id",
      "user-2-id",
      "user-3-id",
      "user-4-id",
    ]
  }
}

问题是，如果当前登录用户的 id 设置在用户允许的每个数组中，我只想允许读取和写入client-1-store"文档及其文档和子集合store"，但我不知道我该怎么做...

The thing is I'd like to only allow reading and writing to the "client-1-store" document and its documents and sub collections if the current logged in user's id is set inside the users-allowed array of each "store", but I have no idea of how i could do that...

推荐答案

不是创建一组用户 ID，而是创建一个 值映射

Instead of creating an array of user IDs, create a map of values

//base collection
clients:{
  //document
  client-1-store:{
    users-allowed:{
      "user-1-id": true,
      "user-2-id": true,
      "user-3-id": true,
      "user-4-id": true,
    }
  }
}


match /clients/{storeId=**} {
  allow read: if get(/databases/$(database)/documents/clients/$(storeId).data.users-allowed.$(request.auth.uid)) == true;
}

然而，这并没有像 allowedUsers 子集合那样扩展，每个用户 ID 都保存为一个文档.然后，您可以改用 exists 条件.这还允许您进一步细化用户文档以获得详细的 CRUD 权限.

However, this doesn't scale as well as having an allowedUsers sub-collection, with each user ID saved as a document. You can then use the exists condition, instead. This also allows you to add further granularity to the user's document for detailed CRUD permissions.

这篇关于保护多个用户的数据 Firestore的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！