基于请求查询值的 Firestore 安全规则 [英] Firestore security rules based on request query value

问题描述

我正在尝试保护对集合的请求，以允许任何单个 get，但仅在匹配特定键时才允许 list.

I'm trying to secure requests to a collection to allow any single get, but only to allow list if a specific key is matched.

数据库结构是这样的:

projects
  project1
    name: "Project 1 name"
    board_id: "board1"
  project2
    name: "Project 2 name"
    board_id: "board2"

boards
  board1
  board2

我从 Vue 进行的 Firestore 查询:

The Firestore query I'm making from Vue:

// Only return projects matching the requested board_id

db
  .collection("projects")
  .where("board_id", "==", this.board_id)

我想要的安全规则是这样的:

The security rules I'd like to have would be something like this:

match /projects/{project} {
  allow get: if true // this works
  allow list: if resource.data.board_id == [** the board_id in the query **]

  // OR

  allow list: if [** the board_id in the query **] != null

我想这样做是为了让您可以列出特定板中的项目，但不能只列出所有内容.

I want to do this so you can list the projects in a specific board, but can't just list everything.

有没有办法在安全规则中访问请求的 .where() 或者我是否需要将我的 projects 集合嵌套在我的 boards收集并以这种方式保护它?

Is there a way to access the requested .where() in the security rules or do I need to nest my projects collection inside my boards collection and secure it that way?

推荐答案

这实际上取决于您将来希望如何​​查询数据.如果您不需要列出所有项目(与板无关)，那么您当前的数据模型会更好，并且可以通过将允许的板添加为地图 {board_id: true} 或(理想情况下)/users 文档的子集合.

It really depends on how you want to query data in the future. If you have no requirement to list all of the projects (irrespective of the board), then your current data model is better and can be secured by adding the allowed boards as a map {board_id: true} or (ideally) sub-collection to the /users document.

/projects/{project_id}
/boards/{board_id}
/users/{uid}/boardPermissions/{board_id}

安全规则

match /projects/{project} {
  allow list: if exists(/databases/$(database)/documents/users/$(request.auth.uid)/boardPermissions/${resource.data.board_id})

替代数据模型

如果您想对数据进行完全分区(这是我在许多项目中倾向于做的事情)，请创建以下模型

Alternative data model

If you want to totally partition your data (which is what I tend to do for many of my projects), then create the following model

/boards/{board_id}/projects/{project_id}
/users/{uid}/boardPermissions/{board_id}

安全规则

match /boards/{board_id}/projects/{project_id} {
  allow list: if exists(/databases/$(database)/documents/users/$(request.auth.uid)/boardPermissions/${board_id})

这篇关于基于请求查询值的 Firestore 安全规则的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！