【问题标题】:Firestore rules 'Simulated read allowed' but fails in browserFirestore 规则“允许模拟读取”但在浏览器中失败
【发布时间】:2021-10-03 11:47:07
【问题描述】:

我的安全规则非常简单。我有两个系列 - ridersraces

  • riders: 只能在用户登录时读取或写入
  • races:未经认证的用户可以读取;当用户登录时写入。
service cloud.firestore {
  match /databases/{database}/documents {    
    // restrict read/write on all to authenticated
    match /{document=**} {
      allow read, write: if request.auth != null;
      
      // then allow collection read if match
      match /races/{id} {
        allow read, list: if true;
      } 
      
    }
  }  
}

这些规则允许使用 Firebase 控制台Rules Playground 进行看似正确的设置,但在浏览器中,身份验证用户的行为与预期相同,但未经身份验证的用户在调用比赛时会返回错误:

core.js:6456 ERROR FirebaseError: Missing or insufficient permissions.
    at new e (prebuilt-47338342-439a2133.js:188)
    at prebuilt-47338342-439a2133.js:10415
    at prebuilt-47338342-439a2133.js:10416
    at e.onMessage (prebuilt-47338342-439a2133.js:10438)
    at prebuilt-47338342-439a2133.js:10355
    at prebuilt-47338342-439a2133.js:10386
    at prebuilt-47338342-439a2133.js:15146
    at ZoneDelegate.invoke (zone.js:372)
    at Zone.run (zone.js:134)
    at zone.js:1276




// service call

this.racesCollection = this.firestore.collection<Race>('races');

this.racesCollection
      .doc(id)
      .valueChanges()
      .pipe(takeUntil(this.destroy$))
      .subscribe((response: any) => {
        console.log('=== APP SERVICE emits race ===', response);
        this.race.next(response);
      });

我尝试过重写规则,但似乎无法解决这个问题。任何帮助或想法表示赞赏!谢谢。

【问题讨论】:

    标签: javascript google-cloud-firestore firebase-security


    【解决方案1】:

    您应该以overlap 的方式编写您的安全规则:

    service cloud.firestore {
      match /databases/{database}/documents {    
        // restrict read/write on all to authenticated
        match /{document=**} {
          allow read, write: if request.auth != null;      
        }
    
        // then allow read for the races collection for all users
        match /races/{id} {
          allow read, list: if true;
        } 
    
      }  
    }
    

    此外,请注意listread 的“子案例”,因此您可以删除list 规则,即只执行allow read: if true;


    顺便说一句,模拟器确实正确地表明,如果您未通过身份验证,您的规则不允许读取 races 集合中的文档。

    【讨论】:

      猜你喜欢
      • 1970-01-01
      • 2021-09-13
      • 1970-01-01
      • 1970-01-01
      • 1970-01-01
      • 1970-01-01
      • 1970-01-01
      • 2021-09-22
      • 2019-12-12
      相关资源
      最近更新 更多