堆栈内存溢出
  简体   繁体   English

将 UID 与文档字段匹配的 Firestore 规则不起作用

[英]Firestore Rules matching UID with Document Field not working

 原文  2020-12-01 16:56:48       firebase/ google-cloud-firestore/ firebase-security

问题描述

Having a little problem with a Firebase Rule. Firebase 规则有一点问题。

Here is a sample record:这是一个示例记录: 记录的示例图像

Here is my rule:这是我的规则:

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /question/{questionId}{
      allow read : if (request.auth.token.email_verified == true) &&
       (request.auth.uid == resource.data.quid);
    }
  }
}

This fails with:这失败了:

FirebaseError: [code=permission-denied]: Missing or insufficient permissions FirebaseError:[code=permission-denied]:权限缺失或不足

However, when changing (request.auth.uid == resource.data.quid);但是,更改时(request.auth.uid == resource.data.quid); to (request.auth.uid == 'gTEsGw3cUlaCswmVwpgdSzEd1TW2');(request.auth.uid == 'gTEsGw3cUlaCswmVwpgdSzEd1TW2'); it works fine.它工作正常。 I can also match against email address just fine.我也可以匹配 email 地址就好了。 Just not the uid to quid field.只是不是 uid 到 quid 字段。

Thoughts?想法?

If it matters, this is the query in my code:如果重要的话,这是我的代码中的查询:

const showQuestions = () => {db.collection('question').where("email", "==", userObject.email).onSnapshot( data => {
        questions = data.docs;
    })
}

1 个解决方案

解决方案1
 1 已采纳  2020-12-01 17:51:01

Your query does not match your rules.您的查询不符合您的规则。 Your rule absolutely requires that the user must only query for specific documents where their UID matches quid field of the document.您的规则绝对要求用户只能查询其 UID 与文档的 quid 字段匹配的特定文档。 However, your query doesn't put any requirements on the quid field.但是,您的查询对 quid 字段没有任何要求。 It's important to know that Firestore security rules are not filters , and they will not allow a query where there is any possibility of matching a document that does not satisfy the rules as written.重要的是要知道Firestore 安全规则不是过滤器,并且它们不允许查询有可能匹配不满足所写规则的文档。

In order to get your query to work, it must specify a filter on the quid field that matches the requirements of the rule.为了使您的查询正常工作,它必须在 quid 字段上指定一个符合规则要求的过滤器。

db.collection('question')
    .where("email", "==", userObject.email)
    .where("quid", "==", uid)

where uid is the UID of the currently signed in user (eg firebase.auth().currentUser.uid ).其中uid是当前登录用户的 UID(例如firebase.auth().currentUser.uid )。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 文档字段的 Firestore 规则 - Firestore rules for document field 仅允许从文档中的 uid 更新(firestore 安全规则)? - Allow update only from uid in the document (firestore security rules)? Firebase Firestore 规则:如何检查对文档的引用是否包含请求者的 uid? - Firebase Firestore rules : How to check if the reference to document contains the uid of the requester? 在 Firestore 中创建 UID 作为字段 - Creating a UID as a field in Firestore 在处理 Firestore 规则时,我无法检查文档中是否存在字段 - I can't check if field exists in document when working on firestore rules 尽管规则与文档集路径匹配,但Firestore权限被拒绝 - Firestore Permission Denied inspite of rules matching document set path Firestore安全规则不适用于特定领域 - Firestore security rules not working on specific field Firestore安全规则:无法检查子集合中的文档是否等于用户UID - Firestore Security Rules: Can't check if document from sub-collection equals user UID 如何使用 uid 文档 ID FirebaseAuth Firestore 获取 Firestore 字段信息 - How to get Firestore field information using an uid document id FirebaseAuth Firestore Cloud Firestore安全规则 - 文档中的单个受保护字段 - Cloud Firestore security rules - single protected field in a document
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM