我有一个 Firestore 规则,如果用户身份验证的自定义声明令牌的“businesses”数组包含文档(这是一个数组)的“businessIds”字段中的所有项目,则用户应该是允许读取和写入该文档,如下所示:
match /users/{userId} {
allow read, write: if resource.data.businessIds.hasOnly(request.auth.token.businesses);
}
但是这个规则不允许读/写任何文件。这是我的测试:
it("Allows a marketeer to read all its users", async () => {
...
const mp1UserId = "MP1_user_crm";
const mp1Doc = admin.collection("users").doc(mp1UserId);
await mp1Doc.set({displayName: "MP CRMer for MP1", type: "MP CRMer", businessIds: ["MP1_ID"]});
const marketeerAuth = {uid: "marketeer_user", businesses: ["MP1_ID", "MP2_ID"]};
const db = base.getFirestore(marketeerAuth);
const testRead = db.collection("users")
.where("businessIds", "array-contains-any", marketeerAuth.businesses);
var all = testRead.get();
await base.firebase().assertSucceeds(all); // FAILS HERE
});
我找不到编写满足规则的查询的方法。 hasOnly() 中的 firebase.firestore.WhereFilterOp 显然没有运算符。
请注意,它抱怨 hasOnly:
FirebaseError:
false for 'list' @ L59, Function not found error: Name: [hasOnly]. for 'list' @ L136
如何编写可以通过安全规则的查询?
更新:
我被要求解释“request.auth.token.businesses”中的内容。使用其自定义声明令牌进行身份验证如下(也可以在 Rule Playground 中构建):
"auth": {
"uid": "marketeer_user"
"token": {
"sub": ""
"aud": "hanOnly-sandbox"
"firebase": {
"sign_in_provider": "custom"
}
"businesses": [
"MP1_ID",
"MP2_ID",
]
}
}
“resource.data.businessIds”中的数据如下数据库结构: