Firestore 安全规则：“PERMISSION_DENIED：权限缺失或不足。”

Posted 2023-02-22

【中文标题】Firestore 安全规则：“PERMISSION_DENIED：权限缺失或不足。”

【英文标题】：Firestore security rules: "PERMISSION_DENIED: Missing or insufficient permissions."

【发布时间】：2019-05-05 16:36:09

【问题描述】：

我的 Firestore 数据库有一些用户和一些 foos。如果还没有其他人声明，用户可以声明foo。他们通过在 /fooOwners/fooId 创建一个文档来声明这一点，该文档有一个名为 owner 的字段，这是对他们自己的用户文档的引用。

我想我已经在这些安全规则中捕捉到了这一点：

service cloud.firestore 
  match /databases/database/documents 

    // Users
    match /users/userId 
      // Omitted: the usual user rules.
    

    // Foo ownership
    // Uniqueness of foo IDs is enforced by using them as document IDs.
    match /fooOwners/fooId 
      // Signed in users can claim a new foo.
      allow create: if request.auth.uid != null;

      // They can read ownership of their own foos, but they can't see who else owns which foos. We only list this using the Admin API from Cloud Functions.
      allow get: if resource.data.owner == /databases/$(database)/documents/users/$(request.auth.uid);

      // They also can't change ownership directly, only by deleting and recreating.
      allow update: if false;

      // And they can only remove ownership of a foo they own themselves.
      allow delete: if resource.data.owner == /databases/$(database)/documents/users/$(request.auth.uid);
    
  

但是，当get()ing 所有权文件时，我得到PERMISSION_DENIED：

2018-12-03 21:38:20.197 8111-8111/cc.biketracker.android E/AndroidRuntime: FATAL EXCEPTION: main
    Process: cc.biketracker.android, PID: 8111
    com.google.android.gms.tasks.RuntimeExecutionException: com.google.firebase.firestore.FirebaseFirestoreException: PERMISSION_DENIED: Missing or insufficient permissions.
        at com.google.android.gms.tasks.zzu.getResult(Unknown Source:15)
        at cc.biketracker.android.provisioning.ProvisioningActivity.lambda$onBonded$5(ProvisioningActivity.java:500)
        at cc.biketracker.android.provisioning.-$$Lambda$ProvisioningActivity$xeA3U7VpXb53FkiwAhKinRUnZbY.onComplete(Unknown Source:6)
        at com.google.android.gms.tasks.zzj.run(Unknown Source:4)
        at android.os.Handler.handleCallback(Handler.java:873)
        at android.os.Handler.dispatchMessage(Handler.java:99)
        at android.os.Looper.loop(Looper.java:193)
        at android.app.ActivityThread.main(ActivityThread.java:6680)
        at java.lang.reflect.Method.invoke(Native Method)
        at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:493)
        at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:858)
     Caused by: com.google.firebase.firestore.FirebaseFirestoreException: PERMISSION_DENIED: Missing or insufficient permissions.

我是这样做的：

        DocumentReference ownershipRef = FirebaseContext.getFooOwnerRef(selectedFooId);

        ownershipRef.get().addOnCompleteListener((task) -> 
            if (task.getResult() == null) 
                // This should never happen.
                Logg.e(TAG, "No foo ownership result.");
                return;
            

            if (task.getResult().exists()) 
                // Check ownership is already ours.
            
        

如果我打开 /fooOwners/fooId 文档并将读写设置为 true，则不会出现此异常。

我的规则有什么问题？他们用模拟器测试没问题。

【参考方案1】：

这似乎已通过对 get 规则的以下更改得到解决：

allow get: if resource == null || resource.data.owner == /databases/$(database)/documents/users/$(request.auth.uid);

我猜当我最初get() 文档时，在它存在之前，没有resource.data 和resource.data.owner。