使用获得回报的Firestore规则不足

发布于 01-23 16:26 字数 1081 浏览 3 评论 0原文

我正在使用以下查询来查询:

setDoc(doc(db, "vendors", this.vendorId), {
    title: "test listing",
    vendorId: this.vendorId
}, {merge: true}).then(i => {
    console.log("i", i)
}).catch(e => {
    console.log("error", e)
})

我有2个集合,第一个收藏品有一个sub Collection

收集用户/$ {userId}

{
    "userId": "123.uuu",
    "role": "vendor"
}

sub Collection用户/$ {userId}/vendors/$ {vendorid}

{
    "user": "123.uuu",
    "vendor": "123..vvv"
}

第二个集合是 收集供应商/$ {vendorid}

{
    "userId": "123.uuu",
    "role": "vendor"
}

我希望能够更新第二个集合供应商/$ {vendorid} ,但是只有当用户sub sub collection 用户/$ $ {userId}/vendors/$ {vendorid} 存在,因此可以访问它。

以下规则不起作用 - 返回 firbaseError:丢失或不足的权限。

match /vendors/{vendorId}{
    allow update: if get(/databases/$(database)/documents/users/$(request.auth.uid)/vendors/$(vendorId)).data.user == request.auth.uid
}

I'm making a query to firestore using:

setDoc(doc(db, "vendors", this.vendorId), {
    title: "test listing",
    vendorId: this.vendorId
}, {merge: true}).then(i => {
    console.log("i", i)
}).catch(e => {
    console.log("error", e)
})

I have 2 collections the first one has a sub collection

Collection users/${userId}

{
    "userId": "123.uuu",
    "role": "vendor"
}

Sub collection users/${userId}/vendors/${vendorId}

{
    "user": "123.uuu",
    "vendor": "123..vvv"
}

The second collection is
Collection vendors/${vendorId}

{
    "userId": "123.uuu",
    "role": "vendor"
}

I want to be able to update the second collection vendors/${vendorId} but only if the users sub collection users/${userId}/vendors/${vendorId} exists and therefore has access to it.

The below rule doesn't work - returns FirebaseError: Missing or insufficient permissions.

match /vendors/{vendorId}{
    allow update: if get(/databases/$(database)/documents/users/$(request.auth.uid)/vendors/$(vendorId)).data.user == request.auth.uid
}

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

找个人就嫁了吧 2025-01-30 16:26:21

允许更新将允许更新操作,即文档必须已经存在。由于您正在使用setDoc(),因此这意味着如果不存在,将创建一个新文档。尝试允许创建也要:

allow create, update: if ....;

结帐关于安全规则,此外,此 firecast

The allow update will allow update operations only i.e. the document must already exist. Since you are using using setDoc(), that means a new document is being created if it doesn't exist already. Try allowing create as well:

allow create, update: if ....;

Checkout the documentation on Security Rules and also this Firecast

妄司 2025-01-30 16:26:21

根据@Doug Stevenson的说法:“安全规则没有任何意义,除非与制作查询的代码配对。”,您可以尝试按照在我的终点复制的示例代码遵循示例代码:

// Where the user.uid is the users document id;
// and the vendorId is the value of the "user" under vendors' sub-collection
const userRef = doc(db, "users", {user.uid}, "vendors", {vendorId});
const userSnap = await getDoc(userRef);

if (userSnap.exists()){
  // Where the vendorId is the value of the user under vendors' collection
  await setDoc(doc(db, "vendors", {vendorId}), {
    title: "test listing",
    vendorId: this.vendorId
  }, 
    {merge: true}).catch(e => {
      console.log("error", e);
  })
}
else{
    // doc.data() will be undefined in this case
    console.log("No such document!");
}

此外,遵循@dharmaraj的答案。 ,您可以尝试以下规则:

match /vendors/{vendorId} {
    // 'user' field in collection 'vendors', and users' sub-collection 'vendors', should have the same value for this rule to work
    // this will check 'vendors' and users' sub-collection 'vendors' user field if its the same or not
    allow read, create, update: if resource.data.user == request.auth.uid && request.auth.uid != null
}

有关更多信息,可以查看下面的指南:

如何修复firestore错误:currisermission_denied:丢失或不足的权限

According to @Doug Stevenson: "Security rules don't mean anything unless paired with code that makes the query.", you can try to follow the example code below that works upon replicating on my end:

// Where the user.uid is the users document id;
// and the vendorId is the value of the "user" under vendors' sub-collection
const userRef = doc(db, "users", {user.uid}, "vendors", {vendorId});
const userSnap = await getDoc(userRef);

if (userSnap.exists()){
  // Where the vendorId is the value of the user under vendors' collection
  await setDoc(doc(db, "vendors", {vendorId}), {
    title: "test listing",
    vendorId: this.vendorId
  }, 
    {merge: true}).catch(e => {
      console.log("error", e);
  })
}
else{
    // doc.data() will be undefined in this case
    console.log("No such document!");
}

Additionally, following the answer of @Dharmaraj, you can try this rule:

match /vendors/{vendorId} {
    // 'user' field in collection 'vendors', and users' sub-collection 'vendors', should have the same value for this rule to work
    // this will check 'vendors' and users' sub-collection 'vendors' user field if its the same or not
    allow read, create, update: if resource.data.user == request.auth.uid && request.auth.uid != null
}

For more information, you can check the guide below:

How to fix Firestore Error: PERMISSION_DENIED: Missing or insufficient permissions

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文