我有一组用户:
users:
userUid:
group: "group_1"
name: "Paul"
userUid:
group: "group_1"
name: "Gregor"
userUid:
group: "group_2"
name: "Mary"
和一系列购物清单:
shoppingList:
listUid:
isActive: true,
group: "group_1",
name: "list_ONE"
listUid:
isActive: false,
group: "group_1",
name: "list_TWO"
listUid:
isActive: true,
group: "group_2",
name: "list_THREE"
我想限制读取/更新访问权限,以便只有属于特定组的人才能编辑/读取同一组中的文档。
我尝试使用以下规则查看docs,但在Firabase控制台模拟器中我得到一个“未知错误”,我没有得到任何控制台提示:
service cloud.firestore {
match /databases/{database}/documents {
function signedIn() {
return request.auth.uid != null;
}
function getGroup(usr) {
return usr.data.group;
}
function isInGroup(usr, groupName) {
return signedIn() && (getGroup(usr) == groupName);
}
match /users/{user} {
// Read access needed to get the user group
allow read: if signedIn();
}
match /shoppingLists/{shoppingList} {
// Everybody can create a new list
allow create: if signedIn();
// Only people from the list group can read/update that list
allow read: if isInGroup(get(/databases/$(database)/documents/users/$(request.auth.uid)), resource.data.group);
allow update: if isInGroup(get(/databases/$(database)/documents/users/$(request.auth.uid)), request.resource.data.group)
&& request.resource.data.isActive;
}
}
}
您没有在规则中正确使用get()。您将字符串路径传递给涉及集合和文档的文档,但get()要求您传递1)不是字符串的路径对象,并且2)以/databases/$(database)/documents为前缀。你应该read the documentation on accessing other documents看一些例子,例如:
service cloud.firestore {
match /databases/{database}/documents {
match /cities/{city} {
// Make sure a 'users' document exists for the requesting user before
// allowing any writes to the 'cities' collection
allow create: if exists(/databases/$(database)/documents/users/$(request.auth.uid))
// Allow the user to delete cities if their user document has the
// 'admin' field set to 'true'
allow delete: if get(/databases/$(database)/documents/users/$(request.auth.uid)).data.admin == true
}
}
}