堆栈内存溢出
  简体   繁体   English

如何阅读 Firebase 安全规则中的文档?

[英]How to read a document in Firebase security rules?

 原文  2021-12-29 02:16:17       firebase/ react-native/ google-cloud-firestore/ firebase-security

问题描述

I'm trying to run a test on the simulator for some firebase security rules, but when running it, the resource is always shown as null and the test is never run for the allow write on the bottom level.我正在尝试在模拟器上对一些 firebase 安全规则进行测试,但是在运行它时,资源始终显示为 null 并且永远不会针对底层的允许写入运行测试。 Here's my code for the security rules:这是我的安全规则代码:

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
  
    match /{document=**} {
      allow read, write: if isSignedIn(); // only if user is signed in are they allow to do any operation
      
      match /{spaceId} { // Any space: not reading or writing allowed to those docs
            allow read, write: if false;
        }
        match /{spaceId}/posts/{postId} { // any post
            allow read; 
        allow write: if resource.user.uid == request.auth.uid;
        }
    }

在这张图片中,最里面的匹配没有被检查。

在此处输入图像描述

2 个解决方案

解决方案1
 0  2021-12-29 03:30:43

The match /{document=**} says that you're defining rules for this collection and all documents under it . match /{document=**}表示您正在为此集合及其下的所有文档定义规则。 So the top-level allow rule that checks isSignedIn , is also applied to all subcollections.因此,检查isSignedIn的顶级allow规则也适用于所有子集合。 And since rules are OR ed together, that means any signed in user can also read/write the spaceid documents.由于规则是OR编辑在一起的,这意味着任何登录的用户也可以读/写spaceid文档。

To make the match only apply to its own collection, remove the =** from it.要使匹配仅适用于它自己的集合,请从中删除=**

解决方案2
 0  2021-12-29 04:20:42

Frank have right you have vulnerability in rules.弗兰克有权利你在规则上有漏洞。 Rules are work like in css code i'm pretty sure.我很确定,规则就像在 css 代码中一样工作。 First restrict access to all data then allow to do any thing any one.首先限制对所有数据的访问,然后允许任何人做任何事情。

In example below users are only allowed to do some thing in users and app collection.在下面的示例中,用户只被允许在用户和应用程序集合中做一些事情。

match /databases/{database}/documents {
    match /{document=**} {
      allow read, write: if false;
    }
    match /users/{userId} {
        allow create: if (isLoggedIn() && !userExist()) || isAdmin());
        allow read, update: if isOwner(userId) || isAdmin());
    }
    match /app/{data} {
        allow write: if isEditor();
        allow read: if true;
    }
}

And solution for your question is resource.data.user.uid you miss data after resource.您的问题的解决方案是resource.data.user.uid您在资源之后错过了数据。 And remember there will be no resource if you create a document write operation is create and update.请记住,如果您创建文档写入操作是创建和更新,那么将没有资源。 Update will work but no create.更新将起作用,但没有创建。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Firebase 安全规则 (.read) - Firebase security rules (.read) Firebase 读取安全规则 - Firebase read security rules Firebase 安全规则 Map 方法 get() 是否算作文档读取? - Does Firebase security rules Map method get() count as a document read? 允许读取的 Firebase 安全规则 - Firebase Security Rules to allow read Firebase 集合组安全规则匹配文档密钥 - Firebase collectionGroup security rules match on document key Firebase 安全规则设置了不允许更新的文档 - Firebase security rules set a document not allowed on update Firebase 安全规则:获取documentID中有空格的文档 - Firebase security rules: Get a document with a space in the documentID Firebase 安全规则 - 访问文档字段 - Firebase Security Rules - Access a document field Firebase安全规则仅用于读取特定项目 - Firebase security rules to read specific items only Firebase安全规则:全部读取单个属性? - Firebase Security Rules: All Read Single Property?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM