我正在Firebase和Firestore上开发Web应用程序,这是我正在尝试做的事情:
用户可以上传自己的帖子,并将其可见性设置为公开或私有。
任何已登录的用户都可以查看公开信息,但是只有订阅作者的用户才能查看私有信息。我正在尝试为此编写安全规则。
这是数据库结构:
db.collection('posts').doc({postid})
//When a user writes a post, a new document is created. Includes the boolean 'public' field and the 'uid' field, which stores the writer's uid.
db.collection('subscription').doc({viewer_user_id})
//Once the logged-in user subscribes to another user, a document is created under the user's UID. The doc includes array of the UID of the users the viewer is subscribing.
以下是“帖子”和“订阅”集合中每个文档下相关字段的描述:
posts/{postid}: {
'uid': Writer's uid (String)
'public': Boolean value to reflect visibility. If false, it is private.
}
subscription/{viewer's uid}: {
'subscription': Array of uids of the users the viewer is subscribing.
}
因此,对于私有文档,基本思想是查看订阅集合中查看者的文档,获取数据,并检查其中是否包含编写者的uid。这将需要一些Javascript代码,但我不知道Firestore安全规则中的语法是什么,或者是否可能从此开始。
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
function publicOrSubscribed() {
return request.auth.uid!=null&&(resource.data.public==true|| /*What could be the syntax here??*/)
}
match /posts/{postid} {
allow read: if publicOrSubscribed();
allow create: if request.auth.uid!=null;
allow update, delete: if request.auth.uid==resource.data.userid;
}
}
}
有什么建议吗?如果在安全规则中不可能,那么可能的解决方法是什么?预先感谢!