Firestore security rule get() not work

2019-01-14 08:46发布

站内问答 / 前沿技术
1052 4 4

The solution is in the end of the post. Check it out.

Решение проблемы в конце поста. Дочитайте.

just a simple question: whats wrong with this and why this is not working?

Trying to get access with user who has role 'admin' in users section to the /titles/{anyTitle} but still get

Missing or insufficient permissions.

service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow write: if false;
      allow read: if false;
    }
    function userCanWrite () {
      return get(/databases/{database}/documents/users/$(request.auth.uid)).data.role == "admin";
    }
    match /titles/{anyTitle=**} {
      allow read: if request.auth != null;
      allow write: if userCanWrite();
    }
  }
}

Here is my database structure

P.S.

I tried another rule from official documents get(/databases/{database}/documents/users/$(request.auth.uid‌​)).data.isAdmin == true;

and this is not working too

UPDATE: CORRECT WAY TO DO IT

Support helped me find the solution this is how you should do:

db structure:

users -> {{ userid }} -> { role: "admin" }

database rule settings:

get(usersPath/$(request.auth.uid)).role == "admin" || get(usersPath/$(request.auth.uid)).data.role == "admin";

4条回答
神经病院院长
2楼-- · 2019-01-14 09:25

You should use $(database) instead of {database} in your code: 

get(/databases/{database}/documents/users/$(request.auth.uid)).data.role == "admin";
查看更多
0人赞 添加讨论(0) 举报
劳资没心,怎么记你
3楼-- · 2019-01-14 09:32

So the way I've solved it is I've created another Collection Called admins

Then I've just added the uid of the user I needed there as such - Here is my database structure - https://i.imgur.com/RFxrKYT.png

And here is the rules

service cloud.firestore {
  match /databases/{database}/documents {

    function isAdmin() {
      return exists(/databases/$(database)/documents/admins/$(request.auth.uid));
    }

    match /tasks/{anyTask} {
    allow read: if request.auth != null;
      allow create: if request.auth != null;
      allow update: if request.auth != null && isAdmin();
      allow delete: if request.auth != null && isAdmin();
    }
  }
}

You can view my full Open Source project here: https://github.com/metaburn/doocrate

查看更多
0人赞 添加讨论(0) 举报
We Are One
4楼-- · 2019-01-14 09:36

What worked for me was moving the userCanWrite function above my rules. It appears that the function has to be defined before any of the match rules that call it. Maddening :-)

查看更多
0人赞 添加讨论(0) 举报
虎瘦雄心在
5楼-- · 2019-01-14 09:52

I contacted to the Firebase support to report that bug and they gave me a temporary solution on this. It seems that they are having a bug in their systems on the security rules side. They say that the documentation is ok, but for now we should workaround this way:

get(path).data.field == true || get(path).field == true;

Because the bug is that data object isn't populated, you should check both properties. There's no ETA for launching a solution on this bug, so I asked they if they could give me an advice when they solved this issue, so I'll keep this answer up-to-date with their information.

查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(4)