控制对 Firestore 文档的访问
[英]Control access to Firestore documents
问题描述
I am creating a mock app which allows users to upload "reports".
我正在创建一个允许用户上传“报告”的模拟应用程序。 These reports are stamped with a "creatorId", which is the uid of the user who creates the report.这些报告带有“creatorId”标记,这是创建报告的用户的 uid。
I'm trying to use firebase queries to only request documents whose creatorId matches the currently logged in user's uid, to prevent requests for another user's documents.我正在尝试使用 firebase 查询仅请求其 creatorId 与当前登录用户的 uid 匹配的文档,以防止请求其他用户的文档。
I just can't seem to get it to work.我似乎无法让它工作。 I can make it work for collections easy peasy, but can't figure it out for individual docs.我可以让它轻松地为 collections 工作,但无法为个别文档弄清楚。
const ref = projectFirestore.collection(collection).doc(id)
This is part of my useDocument hook, to which I pass "reports" and the id in question just fine, but this allows me to access the doc even if it has a creatorId which doesn't match the currently logged in user.这是我的 useDocument 挂钩的一部分,我向其传递“报告”和有问题的 id 就好了,但这允许我访问该文档,即使它的 creatorId 与当前登录的用户不匹配。
My query is:我的查询是:
["creatorId", "==", user.uid]
Which I also pass into the hook as a prop, but I cannot for the life of me figure where to put it - the query seems to be completely ignored whatever I do, and so the doc remains open to any and all.我也将其作为道具传递给钩子,但我终究无法确定将它放在哪里 - 无论我做什么,查询似乎都被完全忽略了,因此该文档对所有人开放。 I think I am going mad.我想我要疯了。
1 个解决方案
解决方案1
0 已采纳 2022-04-07 16:36:05
Client app code can never be trusted to do the right thing, since it's running on a machine you don't control.永远不能相信客户端应用程序代码会做正确的事情,因为它在您无法控制的机器上运行。 If you want to restrict access to documents, you will need to learn about security rules .如果您想限制对文档的访问,则需要了解安全规则。 In particular, you will want to study how to limit access to documents using the currently signed in user's UID .特别是,您需要研究如何使用当前登录用户的 UID来限制对文档的访问。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.