The Cloud Firestore security rules are set as follows:
service cloud.firestore{
match/databases/{database}/documents{
match/collectionA/{someID} {
function checkA(){
return get(/databases/$(database)/documents/collectionA/$(someID)/users/$(request.auth.uid)) .data.deleteFlag!=true
}
function checkB(){
return get(/databases/$(database)/documents/collectionB/$(request.auth.uid)/companies/$(someID)) .data.deleteFlag!=true
}
allow read, write —if checkA()||checkB()
}
}
}
The database has the following image configuration:
I set up the simulator as follows and ran it.
simulation type:get
Location: collectionA/companyA
providers:password
Firebase UID: aAzUlfztdYdEIXT3Tva73kCiuy93
The function checkA() should be false and the function checkB() should be true, so I expected access to it, but it said, "Data access through simulation was not allowed."
Also, if you call the function alone, the function checkA() returned false and the function checkB() returned true.
I thought it was wrong to make it into a function, so I wrote the condition directly to allow read, write:, but I was not allowed access as above.
Also, when I tried to change the function checkB() to another conditional expression that returns the following true, I think it is not possible to specify OR because access is allowed.
function checkB(){
return request.auth.uid!=null
}
If anyone knows what's wrong, could you please point it out?
Thank you for your cooperation.
Under this rule and DB conditions
/databases/$(database)/documents/collectionA/$(someID)/users/$(request.auth.uid)
/databases/$(database)/documents/collectionB/$(request.auth.uid)
It appears that the DocumentID (userID) pointed to does not match.As far as the attached screenshot shows, the former is r9Myn4TfzAVpSZGzyaet
and the latter is aAzUlfztdYdEIXT3Tva73kCiuy93
, so I think I can get it if it matches.Rather than saying the rules are strange, the DB structure (document ID) to be simulated appears to be flawed.
There was information that the simulator rarely works properly, so I actually threw a query just in case and found the intended result, so I thought it might be a simulator bug, but when I contacted Developer Platform Support, they replied as follows...
The get function gets an error when it tries to get a value for an object that does not exist.
If an error occurs during the condition determination process, the security rules do not apply.
A request to apply a security rule when any deleteFlag associated with user data present in each collection is false is difficult because the security rule specification does not have a function to control objects that do not currently exist.
As a workaround, the above rules are applied after retaining the data so that UID data exists in collectionA and collectionB respectively.
© 2024 OneMinuteCode. All rights reserved.