用户只能在Firestore上读/写自己的提交

时间:2018-09-12 17:42:22

标签: javascript firebase google-cloud-firestore firebase-security

我迷失了Firestore规则。

我希望经过身份验证的用户能够阅读他们自己的提交,但是我一直收到的权限不足。我正在将userId写入每个提交中。 

// add submit to submits collection in firestore
    db.collection('submits').add({
      user: this.user,
      number: this.number,
      timestamp: moment.utc(this.timestamp).format(),
      usage: this.usage
    })

我在这里检查哪个用户已登录并获取该用户的提交

 let ref = db.collection('users')

// get current user
ref.where('user_id', '==', firebase.auth().currentUser.uid).get()
  .then(snapshot => {
    snapshot.forEach(doc => {
      this.user = doc.data()
      this.user = doc.data().user_id
    })
  })
  .then(() => {
    // fetch the user previous submits from the firestore
    db.collection('submits').where('user', '==', this.user).get()
      .then(snapshot => {
        // console.log(snapshot)
        snapshot.forEach(doc => {
          let submit = doc.data()
          submit.id = doc.id
          submit.timestamp = moment(doc.data().timestamp).format('lll')
          this.previousSubmits.push(submit)
        })
      })
  })
  }

这些是我的Firestore规则

service cloud.firestore {
match /databases/{database}/documents {

// Make sure the uid of the requesting user matches name of the user
// document. The wildcard expression {userId} makes the userId variable
// available in rules.
match /users/{userId} {
  allow read, update, delete: if request.auth.uid == userId;
  allow create: if request.auth.uid != null;
}

// check if the user is owner of submits he is requesting
match /submits/{document=**} {
     allow read: if resource.data.user == request.auth.uid;
         allow write: if request.auth.uid != null;    
   }


 }
}

有人知道我在做什么错吗?

更新,在用户集合中添加了用于创建用户文档的代码: 

signup () {
  if (this.alias && this.email && this.password) {
    this.slug = slugify(this.alias, {
      replacement: '-',
      remove: /[$*_+~.()'"!\-:@]/g,
      lower: true
    })
    let ref = db.collection('users').doc(this.slug)
    ref.get().then(doc => {
      if (doc.exists) {
        this.feedback = 'This alias already exists'
      } else {
        firebase.auth().createUserWithEmailAndPassword(this.email, this.password)
          .then(cred => {
            ref.set({
              alias: this.alias,
              household: this.household,
              user_id: cred.user.uid
            })
          }).then(() => {
            this.$router.push({ name: 'Dashboard' })
          })
          .catch(err => {
            console.log(err)
            this.feedback = err.message
          })
        this.feedback = 'This alias is free to use'
      }
    })
  }
}

1 个答案:

答案 0 :(得分:2)

部分问题是您正在尝试搜索user_id字段等于用户ID的文档,但是您的安全规则说:“只有ID允许用户阅读文档文件的ID与用户ID相同”,这是完全无关的,而且我不知道您的情况是否确实如此。

一种选择是更改规则,说:“嘿,如果user_id字段的值等于您的用户ID,则可以读取/更改文档,就像这样... 

match /users/{userId} {
  allow read, update, delete: if request.auth.uid == resource.data.user_id;
  // ...
}

...或更改查询,以便您查询ID为当前用户UID的特定文档。

 let ref = db.collection('users').document(currentUser.uid)

 ref.get() {... }

但是,我想不要同时做这两个事情。 :)

相关问题
最新问题