Firebase Firestore - 基于“where"的安全规则查询参数 [英] Firebase Firestore - security rule based on "where" query parameters
问题描述
我正在尝试保护对集合的请求,以允许任何单个 get,但仅在匹配特定键时才允许 list.
数据库结构是这样的:
帖子帖子1内容:发布1个内容"uid:uid1"后2内容:发布2个内容"uid:uid1"后 3内容:发布 3 条内容"uid:uid2"我从 Vue 进行的 Firestore 查询:
//只返回与请求的 uid 匹配的帖子D b.collection("帖子").where("uid", "==", this.uid)我想要的安全规则是这样的:
匹配/posts/{post} {允许获取:如果为真//这有效允许列表:如果 [** 查询中的 uid **] != null我想这样做是为了让您可以列出特定用户的帖子,如果您知道他们的 uid 但不能列出系统的所有 posts.>
有没有办法访问安全规则中请求的 .where() 或者在这种情况下如何编写此类规则或构建我的数据?
相关&学分:
从表面上看,我可以对查询的
limit、offset和orderBy发出请求.但是where上什么都没有.请参阅:#1 .我从这个问题中复制了很多内容.我不明白接受的答案如何回答问题.似乎它回答了另一种情况,即允许用户
list一些其他用户的帖子.那不是我的情况;就我而言,公开的就是公开的.所以,它似乎没有回答我的主要问题.
目前无法使用安全规则来检查查询中是否正在使用字段.您唯一能做的就是仅使用您允许的值来验证文档字段是否被用作过滤器.
相反,考虑将足够多的数据复制到另一个这样组织的集合中:
user-posts (collection){uid}(使用 UID 作为文档 ID 的文档)帖子(子集){postId}(使用帖子 ID 作为文档 ID 的文档)这将要求客户端调用 UID 进行查询,以获取与该用户关联的所有帖子.您可以根据需要存储尽可能多的邮寄文档信息,以满足查询要求.
像这样复制数据在 NoSQL 数据库中很常见.如果您不希望用户在任何给定时刻查询所有帖子,您甚至可能希望将其设为新的默认结构.请注意,集合组查询将帖子"子集合仍会查询所有用户的所有帖子,因此您必须确保您设置了安全规则,以便仅在您允许它发生时才启用它.
另请注意,UID 通常不会对用户隐藏,特别是如果您的网站本质上是协作网站,并且您将多个用户的数据合并到一个页面上.
I'm trying to secure requests to a collection to allow any single get, but to allow list only if a specific key is matched.
Database structure is like this:
posts
post1
content: "Post 1 content"
uid: "uid1"
post2
content: "Post 2 content"
uid: "uid1"
post3
content: "Post 3 content"
uid: "uid2"
The Firestore query I'm making from Vue:
// Only return posts matching the requested uid
db
.collection("posts")
.where("uid", "==", this.uid)
The security rules I'd like to have would be something like this:
match /posts/{post} {
allow get: if true // this works
allow list: if [** the uid in the query **] != null
I want to do this so you can list the posts of a specific user if you know their uid but can't list all posts of the system.
Is there a way to access the requested .where() in the security rules or how can I write such rule or structure my data in this case?
Relevant & credits:
Seemingly, I can make a request on a query's
limit,offset, andorderBy. But there's nothing onwhere. See: #1 & #2.I copy-pasted much from this question. I don't see how the accepted answer answers the question. It seems like it answers another case where a user is allowed to
listsome other users' posts. That is not my case; in my case, what's public is public. So, it doesn't answer the main question in my case, it seems.
There's currently no way, using security rules, to check if a field is being used in query. The only thing you can do is verify that a document field is being used as a filter using only values you allow.
Instead, consider duplicating enough data into another collection organized like this:
user-posts (collection)
{uid} (document using UID as document ID)
posts (subcollection)
{postId} (documents using post ID as document ID)
This will require the client to call out a UID to query in order to get all the posts associated with that user. You can store as much information about the post documents as you like, for the purpose of satisfying the query.
Duplicating data like this is common in NoSQL databases. You might even want to make this your new default structure if you don't want your users to query across all posts at any given moment. Note that a collection group query naming the "posts" subcollection would still query across all posts for all users, so you'd have to make sure your security rules are set up so that this is enabled only when you allow it to happen.
Also note that UIDs are typically not hidden from users, especially if your web site is collaborative in nature, and you combine multiple users' data on a single page.
这篇关于Firebase Firestore - 基于“where"的安全规则查询参数的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
