[英]Can not write firestore security rule for top level collection (list permission) given a specific authenticated user (uid) for an android app
I'm just starting to use Firebase services (firestore) and I can't figure out why the following does not work.我刚刚开始使用 Firebase 服务(firestore),我不知道为什么以下不起作用。
Here is my security rules file:这是我的安全规则文件:
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents/{document=**} {
allow read, write: if request.auth.uid == resource.data.user_id;
}
}
My database is structured as followed:我的数据库结构如下:
A top-level collection called memos contains documents.称为备忘录的顶级集合包含文档。 I only have one, "H5i5p0zenBwkV7vsS12G" in my example.
在我的示例中,我只有一个“H5i5p0zenBwkV7vsS12G”。 It is named after its auto-generated id.
它以其自动生成的 ID 命名。 This document has 2 data fields.
该文档有 2 个数据字段。 One "user_id" String data equal to "7llpal4k0xVxILawceAPPsJe3Vy1" and one "title" String data equal to "Hello Firestore User".
一个“user_id”字符串数据等于“7llpal4k0xVxILawceAPPsJe3Vy1”,一个“title”字符串数据等于“Hello Firestore User”。
/memos/H5i5p0zenBwkV7vsS12G with some data: {
title: "Hello Firestore User"
user_id: "7llpal4k0xVxILawceAPPsJe3Vy1"
}
It works perfectly when I run a get (/databases/(default)/documents/memos/H5i5p0zenBwkV7vsS12G) operation using both the testing tool and my android app.当我使用测试工具和我的 android 应用程序运行get (/databases/(default)/documents/memos/H5i5p0zenBwkV7vsS12G) 操作时,它工作得很好。
But every time I request a list of the memos collection using但每次我要求使用备忘录收藏列表
Firebase.firestore.collection("memos")
it fails with a permission denied exception.它因权限被拒绝异常而失败。 Here is the associated logs:
这是相关的日志:
2021-11-08 19:36:00.946 2996-3045/com.ygoular.memo I/Firestore: (23.0.4) [WatchStream]: (e04cf9f) Stream sending: # com.google.firestore.v1.ListenRequest@7a872c89
add_target {
query {
parent: "projects/memo-da978/databases/(default)/documents"
structured_query {
from {
collection_id: "memos"
}
order_by {
direction: ASCENDING
direction_value: 1
field {
field_path: "__name__"
}
}
}
}
target_id: 2
}
database: "projects/memo-da978/databases/(default)"
2021-11-08 19:36:00.946 2996-3045/com.ygoular.memo I/Firestore: (23.0.4) [FirestoreCallCredentials]: Successfully fetched token.
2021-11-08 19:53:05.815 4440-4480/com.ygoular.memo I/Firestore: (23.0.4) [WatchStream]: (2faa0c0) Stream received: # com.google.firestore.v1.ListenResponse@c4bcaabe
target_change {
cause {
code: 7
message: "Missing or insufficient permissions."
}
target_change_type: REMOVE
target_change_type_value: 2
target_ids: 2
}
This call is made after being authenticated.此调用是在经过身份验证后进行的。 I am sure that my app is authenticated at that moment because if I modify the security rule with the following:
我确信我的应用程序在那一刻已经过身份验证,因为如果我使用以下内容修改安全规则:
allow read, write: if request.auth.uid != null
it passes and returns the available memos.它通过并返回可用的备忘录。 I am also certain that the user ids are supposed to match because I pasted the value returned by
我也确定用户 ID 应该匹配,因为我粘贴了返回的值
FirebaseAuth.getInstance().currentUser.uid
to the memo "user_id" field in the database after the phone authentication has been performed.执行电话身份验证后,到数据库中的备忘录“user_id”字段。 This id will never change for that provider (phone).
对于该提供商(电话),此 ID 永远不会更改。
Here is the uid obtained from the logcat:这是从 logcat 中获得的 uid:
2021-11-08 19:53:05.633 4440-4440/com.ygoular.memo E/Test: uid: 7llpal4k0xVxILawceAPPsJe3Vy1
The only way I could make this work is by creating a top collection /users that has its document name as its user id.我可以完成这项工作的唯一方法是创建一个顶级集合 /users ,其文档名称作为其用户 ID。 In that case the document contains the subcollection /memos and the rule would look something like this:
在这种情况下,文档包含子集合 /memos 并且规则看起来像这样:
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents/users/{userId}/{anythingBehind=**} {
allow read, write: if request.auth.uid == userId;
}
}
If you have any idea how this could be solved, please let me know!如果您知道如何解决此问题,请告诉我! :) Thanks a lot.
:) 非常感谢。
RULES ARE NOT FILTERS规则不是过滤器
I'll repeat that我再说一遍
RULES ARE NOT FILTERS规则不是过滤器
in fact, I'll let the documentation repeat it again:事实上,我会让文档再次重复一遍:
https://firebase.google.com/docs/firestore/security/rules-query https://firebase.google.com/docs/firestore/security/rules-query
Rules do NOT check EACH record to see if each is allowed.规则不检查每个记录以查看每个记录是否被允许。 Rules check to see if the query AS WRITTEN might match a disallowed record - in which case the ENTIRE QUERY is disallowed.
规则检查以查看查询 AS WRITTEN是否可能与不允许的记录匹配 - 在这种情况下,不允许使用 ENTIRE QUERY。 It does NOT EVEN check to see if ONE of the records might work - you MUST do a QUERY that AT LEAST specifies the user_Id field.
它甚至不检查其中一条记录是否可以工作 - 您必须执行至少指定 user_Id 字段的查询。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.