【问题标题】:Role based authentication depending on group in google cloud firestore rules基于角色的身份验证取决于 google cloud firestore 规则中的组
【发布时间】:2019-04-04 17:57:42
【问题描述】:

我正在尝试保护用户可以管理其乐队的应用。用户可以是多个乐队的一部分,因此可以根据他们当前正在编辑的乐队担任不同的角色。角色存储在 Band 文档中的 Map 中。

有什么方法可以将此应用于 Firestore 规则?这样函数 getRole() 不仅适用于“bands”,还适用于包含 idBand 字段的其他集合(如“events”)

我的设置如下所示:

我试图做这样的事情:

function getRole(){
    return get(/databases/{database}/documents/bands/request.resource.data.idBand/members/$(request.auth.uid)).data.role
}

match /bands/{document=**}  {
    allow read;
  allow write: if getRole() == 'OWNER';
}  

【问题讨论】:

    标签: firebase google-cloud-firestore


    【解决方案1】:

    试试这样的:

    // Rules for a band document and its subcollections
    match /bands/{bandID}{
    
      function isBandOwner(userID){ 
        // Determine if user is a band owner
        return get(/databases/$(database)/documents/bands/$(bandID)).data.members[userID].role == 'OWNER';
      }
    
      // Anyone can read
      allow read;
    
      // Only authenticated owners can write to band doc
      allow write: if request.auth != null && isBandOwner(request.auth.uid);
    
       // Rules for all of a band's subcollections
         match /{document=**}{
    
         // Anyone can read
         allow read;
    
         // Only authenticated owners can write to a band's subcollections
         allow write: if request.auth != null && isBandOwner(request.auth.uid);
    
       }        
    }
    

    为了试一试,我们也限制读取,尝试读取一些测试文档:

    allow read: if isBandOwner(request.auth.uid);
    

    Set up Firebase Auth with Google Sign-in 并尝试从 Cloud Firestore 读取:

    <script src="https://www.gstatic.com/firebasejs/5.5.9/firebase.js"></script>
    <script>
      // Initialize Firebase
      // TODO: Replace with your project's customized code snippet
      var config = {
        apiKey: "<API_KEY>",
        authDomain: "<PROJECT_ID>.firebaseapp.com",
        databaseURL: "https://<DATABASE_NAME>.firebaseio.com",
        projectId: "<PROJECT_ID>",
        storageBucket: "<BUCKET>.appspot.com",
        messagingSenderId: "<SENDER_ID>",
      };
      firebase.initializeApp(config);
    
      //Sign in with Google
      var provider = new firebase.auth.GoogleAuthProvider();
    
      firebase.auth().signInWithPopup(provider).then(function(result) {
      // This gives you a Google Access Token. You can use it to access the Google API.
      var token = result.credential.accessToken;
      // The signed-in user info.
      var user = result.user;
      console.log(`UserId: ${user.uid}`)
    
      // Try reading Firestore docs
      var db = firebase.firestore();
    
        // Disable deprecated features
        db.settings({
          timestampsInSnapshots: true
        });
    
        // This doc has members.[my-uid].role = "OWNER"
        // Read should succeed
        db.doc("bands/abc").get().then((doc) => {
                console.log(`${doc.id} => ${doc.data().name}`);
        });
    
        // This doc has members.[my-uid].role = "BANDMEMBER"
        // Read should fail
        db.doc("bands/def").get().then((doc) => {
                console.log(`${doc.id} => ${doc.data().name}`);
        });
      // ...
    }).catch(function(error) {
      // Handle Errors here.
      var errorCode = error.code;
      var errorMessage = error.message;
      // The email of the user's account used.
      var email = error.email;
      // The firebase.auth.AuthCredential type that was used.
      var credential = error.credential;
      // ...
      console.log('error login');
    });
    </script>
    

    【讨论】:

    • 不客气!如果events 是乐队的子集合,则上述规则将起作用。
    • 至于是不是你想要的,这取决于你需要的查询。如果您只对单个乐队的活动感兴趣,那么子系列是有意义的。如果您还想在单个活动中列出所有乐队,那么您可能需要一个 events 集合,每个 event 文档跟踪所有参与乐队。
    • 嗯,我相信它对我有用。您是在模拟器中还是在您的应用程序中尝试过它,并且有什么要求?想到的另一件事是,如果用户自己创建乐队,您可能需要一个单独的 create 案例。
    • 我会再试一次。 write 的规则是否按预期工作?
    • 试了试,按预期工作。您能否验证是否为您的应用正确设置了身份验证并向您的问题添加一些示例查询?用我用来验证的代码更新我的答案。
    猜你喜欢
    • 2018-04-04
    • 2016-01-03
    • 2020-11-28
    • 1970-01-01
    • 1970-01-01
    • 1970-01-01
    • 2014-04-04
    • 2015-05-17
    • 1970-01-01
    相关资源
    最近更新 更多