Question

为Firestore构造安全规则时遇到了问题。具体来说：

db.collection("boards").whereEqualTo("roles.${me.email}", "admin")始终失败，并出现PERMISSION_DENIED错误。

奇怪的是，获取单个文档的工作就像一种魅力。据我了解，此查询不会违反我的任何安全规则。它应始终返回isAnyRole(resource)函数的子集合。

我的安全规则：

service cloud.firestore {
match /databases/{database}/documents {

function isSignedIn() {
    return request.auth != null;
}

match /boards/{board} {

    //Board has owner and 3 possible roles:
    //* admin: can do everything, like an owner, but can be removed
    //* idea_reader: has read only access to the board and its ideas
    //* idea_editor: har write access to ideas and read access to the board itself
    function roles() {
    return ['admin', 'idea_reader', 'idea_editor'];
        }

    function isOwner(rsc) {
    return request.auth.uid == rsc.data.ownerId;
  }

  function getRole(rsc) {
    return rsc.data.roles[request.auth.token.email];
  }

  function isOneOfRoles(rsc, array) {
    // Determine if the user is one of an array of roles
    return isSignedIn() && (getRole(rsc) in array);
  }

  function isAnyRole(rsc) {
    //Determine if user is any role or owner. 
    return isOwner(rsc) || isOneOfRoles(rsc, roles());
  }

  function isValidNewBoard() {
    // Valid if story does not exist and data is set correctly
    return resource == null
                && request.resource.data.ownerId == request.auth.uid
          && request.resource.data.name != null;
  }

  function isValidBoardUpdate() {
    // Valid if ownerId didn't change and called by owner of admin
    return (isOwner(resource) || isOneOfRoles(resource, ['admin']))
                    && resource.data.ownerId == request.resource.data.ownerId
                    && request.resource.data.name != null;
  }

  // Owner and admin can edit. Owner can delete. 
  allow write: if isValidNewBoard() || isValidBoardUpdate();
  allow delete: if isOwner(resource);

  // Owner and any role can read 
  allow read: if isAnyRole(resource);

  match /ideas/{idea} {
    // Any role can read ideas 
    allow read: if isAnyRole(get(/databases/$(database)/documents/boards/$(board)));

    //Owner, admin and idea_editor can edit ideas
    allow write: if isOwner(get(/databases/$(database)/documents/boards/$(board)))
                                || isOneOfRoles(get(/databases/$(database)/documents/boards/$(board)), ['admin', 'idea_editor']);
  }

}

match /{document=**} {
  allow read, write: if false;
}

}
}

Answer 1

问题出在查询，而不是安全规则。这是一件棘手的小事情，没有得到很好的记录。因此，让我们看一下我的查询：

db.collection("boards").whereEqualTo("roles.${me.email}", "admin")

，我们假设电子邮件为n.surname@gmail.com。然后查询如下所示：

db.collection("boards").whereEqualTo("roles.n.surname@gmail.com", "admin")

因此，Firestore首先尝试访问对象roles，然后访问n内部的对象roles，依此类推。这就是查询被拒绝的原因-它不符合定义的安全规则。如果可行，我可能会有无法访问的查询板。

要解决该问题，我必须使用FieldPath修改查询：

db.collection("boards").whereEqualTo(FieldPath.of("roles", me.email), ROLE_ADMIN)

Answer 2

不是模板文字

db.collection("boards").whereEqualTo(`roles.${me.email}`, "admin")

代替

db.collection("boards").whereEqualTo("roles.${me.email}", "admin")

因此，当您尝试查询安全规则未涵盖的文档时（me.email！==“ $ {me.email}”; me.email ===`$ {me.email} `），您将始终收到权限拒绝错误。

Firestore查询权限被拒绝

2 个答案: