Firebase Firestore安全规则:Can';我不明白为什么某些规则会这样做/不这样做';行不通
我的firestore数据库的结构使“leagues”成为顶级集合,每个leagues都包含一个以每个核准用户ID命名的字段(带有数字值)Firebase Firestore安全规则:Can';我不明白为什么某些规则会这样做/不这样做';行不通,firebase,google-cloud-firestore,firebase-security,Firebase,Google Cloud Firestore,Firebase Security,我的firestore数据库的结构使“leagues”成为顶级集合,每个leagues都包含一个以每个核准用户ID命名的字段(带有数字值) match /leagues/{league} { allow read, create, update: if request.auth.uid != null; //only ever deleting a single league at a time allow delete: if exists(/databases
match /leagues/{league} {
allow read, create, update: if request.auth.uid != null;
//only ever deleting a single league at a time
allow delete: if exists(/databases/$(database)/documents/leagues/$(league)/users/$(request.auth.uid));
match /{docs = **} {
allow read, write: if exists(/databases/$(database)/documents/leagues/$(league)/users/$(request.auth.uid))}
}
每个联盟也有一个子集合“用户”,文档以每个批准的用户ID命名
match /leagues/{league} {
allow read, create, update: if request.auth.uid != null;
//only ever deleting a single league at a time
allow delete: if exists(/databases/$(database)/documents/leagues/$(league)/users/$(request.auth.uid));
match /{docs = **} {
allow read, write: if exists(/databases/$(database)/documents/leagues/$(league)/users/$(request.auth.uid))}
}
match /leagues/{league} {
allow read, create, update: if request.auth.uid != null;
//only ever deleting a single league at a time
allow delete: if exists(/databases/$(database)/documents/leagues/$(league)/users/$(request.auth.uid));
match /{docs = **} {
allow read, write: if exists(/databases/$(database)/documents/leagues/$(league)/users/$(request.auth.uid))}
}
以下是firestore查询示例:
FirebaseAuth mAuth = FirebaseAuth.getInstance();
// userId = ABCDEF123 for this example
String userId = mAuth.getCurrentUser().getUid();
FirebaseFirestore firestore = FirebaseFirestore.getInstance();
firestore.collection("leagues").whereLessThan(userId, 99).get();
match /leagues/{league} {
allow read, create, update: if request.auth.uid != null;
//only ever deleting a single league at a time
allow delete: if exists(/databases/$(database)/documents/leagues/$(league)/users/$(request.auth.uid));
match /{docs = **} {
allow read, write: if exists(/databases/$(database)/documents/leagues/$(league)/users/$(request.auth.uid))}
}
match /leagues/{league} {
allow read, create, update: if request.auth.uid != null;
//only ever deleting a single league at a time
allow delete: if exists(/databases/$(database)/documents/leagues/$(league)/users/$(request.auth.uid));
match /{docs = **} {
allow read, write: if exists(/databases/$(database)/documents/leagues/$(league)/users/$(request.auth.uid))}
}
有人能告诉我为什么这条规则有效吗:
match /leagues/{league} {
allow read, write: if resource.data.ABCDEF123 != null;
match /leagues/{league} {
allow read, create, update: if request.auth.uid != null;
//only ever deleting a single league at a time
allow delete: if exists(/databases/$(database)/documents/leagues/$(league)/users/$(request.auth.uid));
match /{docs = **} {
allow read, write: if exists(/databases/$(database)/documents/leagues/$(league)/users/$(request.auth.uid))}
}
match /leagues/{league} {
allow read, write: if resource.data.ABCDEF123 != null;
但不是这个:
match /leagues/{league} {
allow read, write: if resource.data.request.auth.uid != null;
match /leagues/{league} {
allow read, write: if exists(/databases/$(database)/documents/leagues/$(league)/users/$(request.auth.uid));
match /leagues/{league} {
allow read, create, update: if request.auth.uid != null;
//only ever deleting a single league at a time
allow delete: if exists(/databases/$(database)/documents/leagues/$(league)/users/$(request.auth.uid));
match /{docs = **} {
allow read, write: if exists(/databases/$(database)/documents/leagues/$(league)/users/$(request.auth.uid))}
}
match /leagues/{league} {
allow read, write: if resource.data.request.auth.uid != null;
match /leagues/{league} {
allow read, write: if exists(/databases/$(database)/documents/leagues/$(league)/users/$(request.auth.uid));
match /leagues/{league} {
allow read, create, update: if request.auth.uid != null;
//only ever deleting a single league at a time
allow delete: if exists(/databases/$(database)/documents/leagues/$(league)/users/$(request.auth.uid));
match /{docs = **} {
allow read, write: if exists(/databases/$(database)/documents/leagues/$(league)/users/$(request.auth.uid))}
}
此外,为什么这条规则有效:
//"ZYXWV987" is an example of a league the user is in
match /leagues/{league} {
allow read, write: if exists(/databases/$(database)/documents/leagues/$('ZYXWV987')/users/$(request.auth.uid));
match /leagues/{league} {
allow read, create, update: if request.auth.uid != null;
//only ever deleting a single league at a time
allow delete: if exists(/databases/$(database)/documents/leagues/$(league)/users/$(request.auth.uid));
match /{docs = **} {
allow read, write: if exists(/databases/$(database)/documents/leagues/$(league)/users/$(request.auth.uid))}
}
// "ZYXWV987" is an example of a league the user is in
match /leagues/{league} {
allow read, write: if exists(/databases/$(database)/documents/leagues/$('ZYXWV987')/users/$(request.auth.uid));
但不是这个:
match /leagues/{league} {
allow read, write: if resource.data.request.auth.uid != null;
match /leagues/{league} {
allow read, write: if exists(/databases/$(database)/documents/leagues/$(league)/users/$(request.auth.uid));
match /leagues/{league} {
allow read, create, update: if request.auth.uid != null;
//only ever deleting a single league at a time
allow delete: if exists(/databases/$(database)/documents/leagues/$(league)/users/$(request.auth.uid));
match /{docs = **} {
allow read, write: if exists(/databases/$(database)/documents/leagues/$(league)/users/$(request.auth.uid))}
}
match /leagues/{league} {
allow read, write: if resource.data.request.auth.uid != null;
match /leagues/{league} {
allow read, write: if exists(/databases/$(database)/documents/leagues/$(league)/users/$(request.auth.uid));
match /leagues/{league} {
allow read, create, update: if request.auth.uid != null;
//only ever deleting a single league at a time
allow delete: if exists(/databases/$(database)/documents/leagues/$(league)/users/$(request.auth.uid));
match /{docs = **} {
allow read, write: if exists(/databases/$(database)/documents/leagues/$(league)/users/$(request.auth.uid))}
}
我得到的错误是“com.google.firebase.firestore.FirebaseFirestoreException:权限\被拒绝:权限缺失或不足”
match /leagues/{league} {
allow read, create, update: if request.auth.uid != null;
//only ever deleting a single league at a time
allow delete: if exists(/databases/$(database)/documents/leagues/$(league)/users/$(request.auth.uid));
match /{docs = **} {
allow read, write: if exists(/databases/$(database)/documents/leagues/$(league)/users/$(request.auth.uid))}
}
match /leagues/{league} {
allow read, create, update: if request.auth.uid != null;
//only ever deleting a single league at a time
allow delete: if exists(/databases/$(database)/documents/leagues/$(league)/users/$(request.auth.uid));
match /{docs = **} {
allow read, write: if exists(/databases/$(database)/documents/leagues/$(league)/users/$(request.auth.uid))}
}
我希望了解这些规则是如何工作的,以及如何为我的数据库实现适当的规则
match /leagues/{league} {
allow read, create, update: if request.auth.uid != null;
//only ever deleting a single league at a time
allow delete: if exists(/databases/$(database)/documents/leagues/$(league)/users/$(request.auth.uid));
match /{docs = **} {
allow read, write: if exists(/databases/$(database)/documents/leagues/$(league)/users/$(request.auth.uid))}
}
编辑:
match /leagues/{league} {
allow read, create, update: if request.auth.uid != null;
//only ever deleting a single league at a time
allow delete: if exists(/databases/$(database)/documents/leagues/$(league)/users/$(request.auth.uid));
match /{docs = **} {
allow read, write: if exists(/databases/$(database)/documents/leagues/$(league)/users/$(request.auth.uid))}
}
我现在意识到这是可行的(仍然是在制品):
match /leagues/{league} {
allow read, create, update: if request.auth.uid != null;
//only ever deleting a single league at a time
allow delete: if exists(/databases/$(database)/documents/leagues/$(league)/users/$(request.auth.uid));
match /{docs = **} {
allow read, write: if exists(/databases/$(database)/documents/leagues/$(league)/users/$(request.auth.uid))}
}
我有点了解发生了什么(在一个请求中读/写可能不止一个联盟时,我不能使用{league}通配符),但我仍然不确定为什么
match /leagues/{league} {
allow read, create, update: if request.auth.uid != null;
//only ever deleting a single league at a time
allow delete: if exists(/databases/$(database)/documents/leagues/$(league)/users/$(request.auth.uid));
match /{docs = **} {
allow read, write: if exists(/databases/$(database)/documents/leagues/$(league)/users/$(request.auth.uid))}
}
有人能告诉我为什么这条规则有效吗:
match /leagues/{league} {
allow read, write: if resource.data.ABCDEF123 != null;
match /leagues/{league} {
allow read, create, update: if request.auth.uid != null;
//only ever deleting a single league at a time
allow delete: if exists(/databases/$(database)/documents/leagues/$(league)/users/$(request.auth.uid));
match /{docs = **} {
allow read, write: if exists(/databases/$(database)/documents/leagues/$(league)/users/$(request.auth.uid))}
}
match /leagues/{league} {
allow read, write: if resource.data.ABCDEF123 != null;
但不是这个:
match /leagues/{league} {
allow read, write: if resource.data.request.auth.uid != null;
match /leagues/{league} {
allow read, write: if exists(/databases/$(database)/documents/leagues/$(league)/users/$(request.auth.uid));
match /leagues/{league} {
allow read, create, update: if request.auth.uid != null;
//only ever deleting a single league at a time
allow delete: if exists(/databases/$(database)/documents/leagues/$(league)/users/$(request.auth.uid));
match /{docs = **} {
allow read, write: if exists(/databases/$(database)/documents/leagues/$(league)/users/$(request.auth.uid))}
}
match /leagues/{league} {
allow read, write: if resource.data.request.auth.uid != null;
match /leagues/{league} {
allow read, write: if exists(/databases/$(database)/documents/leagues/$(league)/users/$(request.auth.uid));
我猜
resource.data
中没有名为request
的字段。点语法如何知道您希望首先计算最后一部分(request.auth.uid)并将结果用作下一个键?我不确定,但您可以试试resource.data[request.auth.uid]
match /leagues/{league} {
allow read, create, update: if request.auth.uid != null;
//only ever deleting a single league at a time
allow delete: if exists(/databases/$(database)/documents/leagues/$(league)/users/$(request.auth.uid));
match /{docs = **} {
allow read, write: if exists(/databases/$(database)/documents/leagues/$(league)/users/$(request.auth.uid))}
}
此外,为什么这条规则有效:
//"ZYXWV987" is an example of a league the user is in
match /leagues/{league} {
allow read, write: if exists(/databases/$(database)/documents/leagues/$('ZYXWV987')/users/$(request.auth.uid));
match /leagues/{league} {
allow read, create, update: if request.auth.uid != null;
//only ever deleting a single league at a time
allow delete: if exists(/databases/$(database)/documents/leagues/$(league)/users/$(request.auth.uid));
match /{docs = **} {
allow read, write: if exists(/databases/$(database)/documents/leagues/$(league)/users/$(request.auth.uid))}
}
// "ZYXWV987" is an example of a league the user is in
match /leagues/{league} {
allow read, write: if exists(/databases/$(database)/documents/leagues/$('ZYXWV987')/users/$(request.auth.uid));
但不是这个:
match /leagues/{league} {
allow read, write: if resource.data.request.auth.uid != null;
match /leagues/{league} {
allow read, write: if exists(/databases/$(database)/documents/leagues/$(league)/users/$(request.auth.uid));
match /leagues/{league} {
allow read, create, update: if request.auth.uid != null;
//only ever deleting a single league at a time
allow delete: if exists(/databases/$(database)/documents/leagues/$(league)/users/$(request.auth.uid));
match /{docs = **} {
allow read, write: if exists(/databases/$(database)/documents/leagues/$(league)/users/$(request.auth.uid))}
}
match /leagues/{league} {
allow read, write: if resource.data.request.auth.uid != null;
match /leagues/{league} {
allow read, write: if exists(/databases/$(database)/documents/leagues/$(league)/users/$(request.auth.uid));
从:
match /leagues/{league} {
allow read, create, update: if request.auth.uid != null;
//only ever deleting a single league at a time
allow delete: if exists(/databases/$(database)/documents/leagues/$(league)/users/$(request.auth.uid));
match /{docs = **} {
allow read, write: if exists(/databases/$(database)/documents/leagues/$(league)/users/$(request.auth.uid))}
}
来自云Firestore移动/web客户端的每个数据库请求
在阅读或阅读之前,将根据您的安全规则对库进行评估
写任何数据
match /leagues/{league} {
allow read, create, update: if request.auth.uid != null;
//only ever deleting a single league at a time
allow delete: if exists(/databases/$(database)/documents/leagues/$(league)/users/$(request.auth.uid));
match /{docs = **} {
allow read, write: if exists(/databases/$(database)/documents/leagues/$(league)/users/$(request.auth.uid))}
}
对第一条规则进行评估,并根据结果,允许用户读取全部或无联盟文档。
第二条规则必须根据内容对每个文档进行评估。在阅读所有这些之前,这是不可能的
match /leagues/{league} {
allow read, create, update: if request.auth.uid != null;
//only ever deleting a single league at a time
allow delete: if exists(/databases/$(database)/documents/leagues/$(league)/users/$(request.auth.uid));
match /{docs = **} {
allow read, write: if exists(/databases/$(database)/documents/leagues/$(league)/users/$(request.auth.uid))}
}
您必须定义安全规则,使Firestore仅根据查询的定义对其进行评估,而不考虑可能的结果。resource.data[request.auth.uid]有效!其余的也有道理。谢谢后续问题:如果某个字段的值是FieldValue.delete(),我如何在删除字段(即“documentReference.update(fieldID,FieldValue.delete();”)时签入FS规则?如果该字段的值是FieldValue.delete()?“request.writeFields中的request.auth.uid”为“true”,但“request.resource.data[request.auth.uid]!=null”和“request.resource.data”为“true”[request.auth.uid]=null“都给了我“false”/“error”(我不知道如何检查),我不太明白你想做什么,只是为了确保这不是一个输入错误-你尝试过==null吗?哈,这是一个输入错误,但不是在我的实际规则中!这是完整的规则(目前,用于疑难解答)这不起作用:
允许更新:如果request.writeFields&&(request.resource.data[request.auth.uid]==null | | | request.resource.data[request.auth.uid]!=null)
从我的应用程序中,用户可以更改组中的访问级别docref.update(userID,level)
或完全删除自己docref.update(userID,FieldValue.delete())
,用户是文档中的所有字段(其访问级别为其值)…更新级别使用上述规则,但删除不起作用…此外,删除用户只需使用request.writeFields中的允许更新:if request.auth.uid
。
match /leagues/{league} {
allow read, create, update: if request.auth.uid != null;
//only ever deleting a single league at a time
allow delete: if exists(/databases/$(database)/documents/leagues/$(league)/users/$(request.auth.uid));
match /{docs = **} {
allow read, write: if exists(/databases/$(database)/documents/leagues/$(league)/users/$(request.auth.uid))}
}