我可以重叠Firestore安全规则以防止到处使用或操作员吗?
我有很多收藏品来定义安全规则,它们都有逻辑或运算符以说明管理权的权利。这就是这样一个示例:
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
function isAdmin() {
return request.auth != null && get(/databases/$(database)/documents/userProfiles/$(request.auth.uid)).data.admin == true;
}
function isSignedIn() {
return request.auth != null;
}
function isOwnDocument() {
return request.auth.uid == request.resource.id
}
match /userSettings/{doc} {
allow read: if isOwnDocument() || isAdmin();
allow write: if isOwnDocument() || isAdmin();
}
}
}
我可以提前声明管理权并省略或操作员吗?
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
function isAdmin() {
return request.auth != null && get(/databases/$(database)/documents/userProfiles/$(request.auth.uid)).data.admin == true;
}
function isSignedIn() {
return request.auth != null;
}
function isOwnDocument() {
return request.auth.uid == request.resource.id
}
match /{document=**} {
allow read: if isAdmin();
allow write: if isAdmin();
}
match /userSettings/{doc} {
allow read: if isOwnDocument();
allow write: if isOwnDocument();
}
}
}
这是一个好习惯吗?
I have a bunch of collections to define security rules for and they all have logical OR operators in them to account for admin rights. Here is one such example:
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
function isAdmin() {
return request.auth != null && get(/databases/$(database)/documents/userProfiles/$(request.auth.uid)).data.admin == true;
}
function isSignedIn() {
return request.auth != null;
}
function isOwnDocument() {
return request.auth.uid == request.resource.id
}
match /userSettings/{doc} {
allow read: if isOwnDocument() || isAdmin();
allow write: if isOwnDocument() || isAdmin();
}
}
}
Could I, instead, declare admin rights up front and omit the OR operator?
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
function isAdmin() {
return request.auth != null && get(/databases/$(database)/documents/userProfiles/$(request.auth.uid)).data.admin == true;
}
function isSignedIn() {
return request.auth != null;
}
function isOwnDocument() {
return request.auth.uid == request.resource.id
}
match /{document=**} {
allow read: if isAdmin();
allow write: if isAdmin();
}
match /userSettings/{doc} {
allow read: if isOwnDocument();
allow write: if isOwnDocument();
}
}
}
Would this be a good practice?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
是的!
我刚刚检查了Firebase控制台中的规则操场。
尝试规则游乐场,转到规则云firestore的选项卡,然后单击“规则”游乐场。您将看到它左下是规则编辑器。在那里,您可以构建数据和身份验证的状态,然后从那里模拟请求。
是的,当然。这将使您的Firestore规则更加清洁。因此,您无需在每场比赛中放置
||(OR)。说明
来自firebase docs:
因此当
isadmin()()为TRUE时(并且由于所有文档的预先声明),Firestore将会允许访问文件。从问题评论...
自定义主张是Firebase中的一个功能,您可以将不同的角色分配给不同的角色用户。您可以使用自定义索赔来设置管理员特权,教师许可或应用程序所需的任何角色。
自定义索赔为有效的JSON(最好是带有布尔值的键值对)。
可以在firebase的不同部分访问用户上的自定义索赔:
idtoken,auth.token.token,因此,在Firebase的这两个部分中,您可以在身份验证的用户上检查自定义索赔,以使他们可以访问资源是否访问。
请注意,自定义索赔并不意味着用作数据存储,以将用户对象从firebase身份验证中扩展。他们主要是为了安全规则。 Firebase将拒绝超过1000个字节的自定义索赔。
另外,您只能在管理员SDK中管理项目的自定义索赔。
了解自定义索赔在这里。
Yes!
I just checked the Rules Playground in the Firebase Console.
To try the Rules Playground, go to the Rules tab of Cloud Firestore and click on Rules Playground. You will see it bottom left to the Rules Editor. There, you can build the data and an authenticated state and from there simulate a request.
Yes, certainly. It will make your Firestore Rules cleaner. So you won't need to be putting
||(or) in every match.Explanation
From the Firebase Docs:
So when
isAdmin()is true (and because it is declared upfront for all documents), Firestore will allow access for the documents.From the question comments ...
Custom Claims is a feature in Firebase where you can assign different roles to users. You can use custom claims to set admin privileges, teacher permissions, or any role your app needs.
Custom Claims take valid JSON (preferably key-value pairs with boolean values).
Custom Claims on a user can be accessed in different parts of Firebase:
idToken,auth.token, andSo, in either of these parts of Firebase, you can check the custom claims on an authenticated user to give them access to resources or not.
Note that custom claims are not meant to be used as a store of data to extend the User object from Firebase Authentication. They are primarily there for security rules. Firebase will reject custom claims that are more than 1000 bytes.
Also, you can only manage custom claims on your projects in the admin SDK.
Learn about custom claims here.