访问 Firestore 规则中的父文档字段 [英] Access parent documents field in Firestore rules

问题描述

我正在 Firestore 中实施一本食谱书，每个用户都可以看到所有用户创建的所有食谱，但只允许该食谱的原始作者编辑或删除该食谱.还允许任何用户创建新配方.

I'm implementing a recipe book in Firestore where every user is able to see all the recipes all users created but only the original author of the recipe is allowed to edit or delete the recipe. Any user is also allowed to create a new recipe.

我的问题是我无法设置子集合在子集合父文档的字段上侦听"的权限.

My problem is that I am unable to setup the permissions a subcollection to "listen" on a field of the subcollections parentdocument.

每个配方文档包含三件事.一个名为 name 的字段，其中存储了配方的名称，一个名为 creatorUID 的字段，其中创建者 uid 的 request.auth.uid 是存储和一个名为 ingredients 的子集合，其中包含具有一些随机字段的文档.

Each recipe document contains three things. A field called name where the name of the recipe is stored, a field called creatorUID where the request.auth.uid of the creators uid is stored and a subcollection called ingredients containing documents with some random fields.

service cloud.firestore {
  match /databases/{database}/documents {

    function isSignedIn() {
      return request.auth != null;
    }

    match /ListOfRecipes/{recipe} {
        allow read, create: if isSignedIn();
        allow update, delete: if resource.data.creatorUID == request.auth.uid;

        match /{list=**} {
            allow read: if isSignedIn();
            // Should return true if recipe.creatorUID has same value as request.auth.uid
            allow write: if recipe.creatorUID == request.auth.uid;
        }
    }
  }
}

问题在于，使用这些规则，它只能创建配方文档.由于数据库说

The problem is that with these rules it only works to create the recipe document. The subcollection and it's documents are not created since the db says

FirebaseError: [code=permission-denied]: 权限缺失或不足.Firebase 错误:权限缺失或不足.

FirebaseError: [code=permission-denied]: Missing or insufficient permissions. FirebaseError: Missing or insufficient permissions.

调用来自 Angular 客户端，它是官方库.

The calls is made from Angular client and it's official library.

推荐答案

规则不会级联，因此您需要对规则捕获的文档执行所需的任何检查.

Rules don't cascade, so you'll need to perform whatever checks you need for the document being captured by the Rules.

一般来说，{x=**} 规则往往是错误的，=** 的用法仅适用于极其特定的用例.

Generally speaking, {x=**} rules are more often a mistake and the usage of =** only for extremely specific use cases.

根据您的问题，我假设您的数据模式是这样的:

From your question, I'm assuming your data mode is something like this:

/ListofRecipes/{recipe_document}/List/{list_document}

在这种情况下，您需要像这样配置规则:

In this case, you'll need your Rules to be configured something like this:

service cloud.firestore {
  match /databases/{database}/documents {

    function isSignedIn() {
      return request.auth != null;
    }

    match /ListOfRecipes/{recipe} {
        allow read, create: if isSignedIn();
        allow update, delete: if resource.data.creatorUID == request.auth.uid;

        function recipeData() {
            return get(/databases/$(database)/documents/ListOfRecipes/$(recipe)).data
        }

        match /List/{list} {
            allow read: if isSignedIn();
            allow write: if recipeData().creatorUID == request.auth.uid;
        }
    }
  }
}

这篇关于访问 Firestore 规则中的父文档字段的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！