google-cloud-firestore firebase-security

Firestore安全规则 - 如何通过请求确保列表请求。

发布于 2025-01-27 14:59:15 字数 939 浏览 3 评论 0原文

我想使用字段 code> access.users 保存帐户文档的收集集合中的帐户文件。

accounts.access.users = [ //array of user document references ]

在我的查询（JS客户端库）中，我正在设置查询：

db.collection('accounts').where('access.users', 'array-contains', userRef)

要保护数据，我想编写一个规则：

 function userHasAccountAccess () {
   let user = getUser(); // returns users document reference based on auth uid
   // - here - need to check that the users document reference was requested by the query ie - that `request.query` contains the `access.users` field and that value of this filter in an array/list which includes a reference to the users' document
 }

 match /accounts/{docId} {
  list: if userHasAccountAccess();
 }

...但是从文档看，查询上唯一可用的属性是limit代码>，<代码> offset和orderby，因此我无法测试或使用这种方式。

那么，其他人如何在此类访问角色ACL方案中确保其数据的list键入请求？

原文

I want to secure a collection of accounts documents with a field access.users that contains an array of user DocumentReferences which are allowed to access an account document in the collection.

accounts.access.users = [ //array of user document references ]

In my query (JS client library) I am setting the query:

db.collection('accounts').where('access.users', 'array-contains', userRef)

To secure the data, I want to write a rule:

 function userHasAccountAccess () {
   let user = getUser(); // returns users document reference based on auth uid
   // - here - need to check that the users document reference was requested by the query ie - that `request.query` contains the `access.users` field and that value of this filter in an array/list which includes a reference to the users' document
 }

 match /accounts/{docId} {
  list: if userHasAccountAccess();
 }

... but it seems from the docs that the only properties available on a query are limit, offset and orderBy, so then I am unable to test or secure this way.

So how are others securing their data in this type of access role ACL scenario for LIST type requests?

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

扮仙女 2025-02-03 14:59:15

因此，经过一些挖掘，我找到了答案。

在其中发布查询（列表）请求

db.collection('accounts').where('access.users', 'array-contains', userRef).limit(5)

的位置：...似乎limit 。

这是令人困惑的，因为a）资源。数据通常是要发布的文档数据的地图（即保存记录时）和b）文档描述resource.data。

So after some digging, I found the answer.

Where posting a query (LIST) request as so:

db.collection('accounts').where('access.users', 'array-contains', userRef).limit(5)

... it seems that limit, orderBy and offset become properties of request.query in the security rules, but the where filters become properties of resource.data.

This is confusing because a) resource.data is usually a map of document data being posted (ie when saving records) and b) the docs describe resource.data as such.

回复收藏 0 原文

~没有更多了~