In firestore security rule, the resource.data is an emtpy object always, is this a bug or something ?
My firestore rules:
service cloud.firestore {
match /databases/{database}/documents {
match /hospitals/{document=**}{
// allow read :if resource.data.size() == 0; //this return true, resource.data is an empty object
allow read :if resource.data.name != null; // this doesn't work
}
}
}
My javascript:
auth().onAuthStateChanged((user) => {
if (user) {
//db is the firestore instance
db.collection('/hospitals').get()
.then(printResult)
} else {
}
})
this is my current database snapshot
solved :
thanks for Frank's answer
the issue rely on that firestore security doesn't evaluate the actual document value when we query a over multiple document , in my case
//this doesn't firestore doesnt' evaluate the documetn
db.collection('hospitals').get()
//this will work ,if you need to pare the actual value
db.document('hospitals/somehospital').get()
In firestore security rule, the resource.data is an emtpy object always, is this a bug or something ?
My firestore rules:
service cloud.firestore {
match /databases/{database}/documents {
match /hospitals/{document=**}{
// allow read :if resource.data.size() == 0; //this return true, resource.data is an empty object
allow read :if resource.data.name != null; // this doesn't work
}
}
}
My javascript:
auth().onAuthStateChanged((user) => {
if (user) {
//db is the firestore instance
db.collection('/hospitals').get()
.then(printResult)
} else {
}
})
this is my current database snapshot
solved :
thanks for Frank's answer
the issue rely on that firestore security doesn't evaluate the actual document value when we query a over multiple document , in my case
//this doesn't firestore doesnt' evaluate the documetn
db.collection('hospitals').get()
//this will work ,if you need to pare the actual value
db.document('hospitals/somehospital').get()
- i corrected my question, my apology – Jack Ng Commented May 1, 2018 at 1:09
- Even with the update, it's hard to say what's going on without seeing the code that is giving you unexpected results. See how to create a minimal, plete, verifiable example for how to make it easiest to help you. – Frank van Puffelen Commented May 1, 2018 at 4:36
- i added my javasript code above – Jack Ng Commented May 1, 2018 at 9:04
- when i use the rule " // allow read :if resource.data.size() == 0; " , i am able to retrieve all the document, but i failed when i try to access the "resource.data.name != null" – Jack Ng Commented May 1, 2018 at 9:06
1 Answer
Reset to default 6Security rules don't filter data by themselves. They merely enforce rules on what data a client can read. Your client is currently trying to read all hospitals. Since your security rules have restrictions on what data a client can read, they reject this operation.
You need to ensure that what your client requests is no more than what the security rules allow, by reading the data through a query that matches the security rules. So something like
db.collection('/hospitals')
.where("name", ">=", "")
.get()
.then(printResult)
Note that this does require that the document has a name field, otherwise the name can't be empty.
For more info, see:
- the Firestore documentation on securing queries
- Firestore select where is not null
发布者:admin,转转请注明出处:http://www.yc00.com/questions/1745342344a4623385.html
评论列表(0条)