公共和私有领域的 Firestore 安全规则 [英] Firestore security rules for public and private fields

问题描述

关于 Firebase 实时数据库的安全规则，公共和私有数据可以使用如下规则存在于同一棵树中.

As for security rules of Firebase Realtime Database, both public and private data can exist in the same tree using such as the following rule.

但是，在使用 Firestore 时，它​​似乎无法让我们做同样的事情，因为我们可以检索的大量数据仅在集合或文档下.当公共数据和私有数据在同一个文档中定义并获取带有集合/文档的数据时，如果我们不是所有者，我们会得到私有数据权限不足的错误.

However, when using Firestore, it doesn't seem to enable us to do the same because the chuck of data we can retrieve is only under collection or document. When public and private data is defined in the same document and getting data w/ collection/document, we'd get error of insufficient permissions as for private data if we are not the owner.

在使用 RTDB 时，我们可以获取 'users/{userId}/publicInfo' 的数据，因为我们对集合/文档没有任何概念.

When using RTDB, we can get data of 'users/{userId}/publicInfo' because we don't have any idea of collection/document.

有没有办法用 Firestore 来实现 RTDB 的这个功能?否则，我们应该分开公共/私人收藏吗?

Are there any way to do this of RTDB with Firestore? Otherwise, we should have public/private collection separately?

// rule of Firebase Realtime Database
"users": {
   "$user_id": {
       ".read": "auth.uid === $user_id",
       ".write": "auth.uid === $user_id",

       "private": {
          ".read": "auth.uid === $user_id"   // --- private data
       }

       "public": {
          ".read": "auth !== null";           // --- public data 
       }
   }
}

// Firestore
service cloud.firestore {
  match /databases/{database}/documents {
    match /users/{userId} {

      match /{private=**} {
        allow read, write: if request.auth == userId;
      }

      match /{public=**} {
        allow read, write: if request.auth != null;
      }
    }
  }
}

推荐答案

因此您不能为文档的不同部分设置单独的安全规则.您可以阅读整个文档，也可以不阅读.

So you can't have separate security rules for separate parts of a document. You can either read the entire document, or you can't.

也就是说，如果您想为您的用户 ID 文档提供一个包含公共和私有文档的公共"和私有"子集合，这是您完全可以做到的，只是您当前设置的方式不同您的安全规则.

That said, if you wanted to give your userID document a "public" and "private" subcollection that contained documents that were public and private, that's something you can totally do, just not in the way you've currently set up your security rules.

您编写的 match/{private=**} 位并不意味着匹配任何称为‘私有’的子集合".这意味着匹配任何子集合，无论如何，然后将其分配给名为 private 的变量".文档的递归匹配通配符"部分涵盖了这一点更详细.

The match /{private=**} bit as you've written it doesn't mean, "Match any subcollection that's called 'private'". It means, "Match any subcollection, no matter what, and then assign it to a variable called private". The "Recursive matching with wildcards" section of the docs covers this in more detail.

另外，你需要参考request.auth.uid来获取用户的ID.

Also, you need to reference request.auth.uid to get the user's ID.

所以，你可能想要更像这样的东西:

So, you probably want something more like this:

// Firestore
service cloud.firestore {
  match /databases/{database}/documents {
    match /users/{userId} {
      // You'll probably want to add security rules around the user document 
      // itself. For now, though, let's look at our subcollections:

      match /private/{anything=**} {
        // Only the user can read documents in their private collection
        allow read, write: if request.auth.uid == userId;
      }

      match /public/{anything=**} {
        // Anybody can read documents here, as long as they're signed in
        allow read, write: if request.auth != null;
      }
    }
  }
}

这篇关于公共和私有领域的 Firestore 安全规则的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！