Firestore 安全规则:如果时间戳 (FieldValue.serverTimestamp) 等于现在 [英] Firestore Security Rules: If timestamp (FieldValue.serverTimestamp) equals now

问题描述

如何检查客户端上的用户是否仅使用 firebase.firestore.FieldValue.serverTimestamp() 创建了文档?

How do I check if user on client sided created document with only firebase.firestore.FieldValue.serverTimestamp()?

我有以下几点:

allow create: if request.resource.data.timestamp == ??

我应该拥有什么而不​​是 ??.我试过 serverTimestamp() firebase.firestore.FieldValue.serverTimestamp()、now 或 now() 但它不起作用.

What should I have instead of ??. I have tried serverTimestamp() firebase.firestore.FieldValue.serverTimestamp(), now or now() but it doesn't work.

可以在 Firebase 中这样做:

It is possible to do it in Firebase like this:

".validate": "newData.child('timestamp').val() === now"

我正在寻找相同的解决方案.有任何想法吗?谢谢

I am looking for the same solution. Any ideas? Thanks

推荐答案

您可以使用 request.time 属性(docs)，它相当于实时数据库的 now 的 Firestore.因此，您将需要以下内容:

You can access the current request timestamp in Security Rules using the request.time attribute (docs), which is the Firestore equivalent to the Realtime Databases's now. You'll therefore want something like:

allow create: if request.resource.data.timestamp == request.time;

对于 serverTimestamp() 这应该评估为真.

For serverTimestamp() this should evaluate to true.

您应该始终验证安全规则中的客户端输入，即使您使用的是serverTimestamp().安全规则不会自动知道服务器而不是客户端输入的值，因此如果没有此检查，恶意客户端可能会创建一个不同的时间.

You should always validate client input in Security Rules, even if you're using serverTimestamp(). Security Rules doesn't automatically know the server input the value instead of the client, so without this check, a malicious client could create a different created at time.

这篇关于Firestore 安全规则:如果时间戳 (FieldValue.serverTimestamp) 等于现在的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！