stackoom
  简体   繁体   中英

Firestore document query allowed with get() but denied using where()

 原文  2020-05-20 20:39:18       javascript/ firebase/ google-cloud-firestore/ firebase-security

Question

I am unit testing the firestore security rules below which allows a member of a group to read the groups collection if their userId is a key in the roles map.

function isMemberOfGroup(userId, groupId) {
    return userId in get(/databases/$(database)/documents/groups/$(groupId)).data.roles.keys();
}

match /groups/{groupId} {
    allow read: if isMemberOfGroup(request.auth.uid, groupId);
}

Sample groups collection

{
    name: "Group1"
    roles: {
        uid: "member"
    }
}

My unit test performs a get() of a single document which succeeds.

It then performs a get() using a where() query which fails.

it("[groups] any member of a group can read", async () => {
    const admin = adminApp({ uid: "admin" });
    const alice = authedApp({ uid: "alice" });

    // Groups collection initialisation
    await firebase.assertSucceeds(
        admin.collection("groups")
        .doc("group1")
        .set({ name: "Group1", roles: { alice: "member" } })
    );

    // This succeeds
    await firebase.assertSucceeds(
        alice.collection("groups")
        .doc("group1")
        .get()
    );

    // This fails
    await firebase.assertSucceeds(
        alice.collection("groups")
            .where(new firebase.firestore.FieldPath('roles', 'alice'), '==', "member")
            .get()
        );
    });

It fails with the error:

FirebaseError: 
Null value error. for 'list' @ L30

where L30 points to the allow read security rule

I know that firestore rules are not responsible for filtering and will deny any request that could contain documents outside of the rule. However from what I understand, my where() should be limiting this correctly.

Is there a problem with my where() query or my rules?

1 answers

solution1
 1 ACCPTED  2020-05-20 21:16:30

The problem is still that security rules are not filters. Since your rule depends on a specific document ID (in your case, groupId ), that value can never be used in the rule as part of a comparison. Since rules are not filters, the rule must work for any possible value of groupId without knowing it an advance , since the rule will not get() and check each individual group document.

The security check you have now will simply not work for queries for this reason. Instead, consider storing a list of per-user group access in custom claims or a single document that the user can read, so they can then iterate the list and get() only the specific groups they've been told they have access to.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to perform "where" query using document ID in Cloud Firestore Cloud Firestore document .get() and .where() functions not recognized Get Firestore document where value not in array Firestore: Get subcollection of document found with where Firestore get document where subcollection exist How to get the document ref to a where clause firestore? How to get parent document of firestore collectionGroup query? How to get the second 10 document in a Firestore Query? Javascript firestore:how to get results of a where query Firebase Firestore where() query can't find document
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM