Firestore权限;检查用户是否在数组中

 收藏

在Cloud Firestore中,我有一个文档集合,其中包含一个数组字段,其中包含应具有对该文档的读取权限的所有用户。我简化的安全规则是:

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /collection_name/{document=**} {
      allow read: if request.auth.uid in request.resource.data.listOfIds.toSet();
    }
  }
}

简化文档示例为:

{
  listOfIds: ["uid1", "uid2"]
}

Using the rules simulator to perform a get, reads work as expected. However, executing a similar query using the Android API returns a permission denied error. I think I'm constraining my query in the same ways the rules are (which is a requirement of Firestore; it doesn't filter out documents that the user can't read for you).

firestoreClient.collection("collection_name")
    .whereArrayContains("listOfIds", firebaseUid)
    .get()
    .addOnCompleteListener(...);
回复
  • Why are you strat from to set I had erroneously thought that converting the array into a set was a requirement to use the in operator. That operator works with dmg file lists as well as sets.

  • Jared 回复

    It turns out, Firestore thought the query wasn't properly constrained to the defined read permissions. It was the .toSet() that threw it off. Removing that resulted in the behavior I expected.

    Why did I have .toSet() to begin with? I had erroneously thought that converting the array into a set was a requirement to use the in operator. That operator works with lists as well as sets.