英文:
Firestore security rules granting access only to users authenticated with Google and that are part of the Firebase project
问题
我正在使用FireCMS管理我的Firestore,并已设置了Google身份验证。为了保护我的数据,我只希望授予属于Firebase项目的Google用户访问权限。如果可能的话,我也想避免逐个列出用户的电子邮件。
我尝试过以下方法:
```plaintext
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents/{document=**} {
allow read, write: if request.auth != null &&
request.auth.token.firebase != null &&
request.auth.token.firebase.identities["google.com"] != null;
}
}
但这会给予所有Google帐户访问权限,而不仅仅是那些已被邀请到我的Firebase项目的帐户。
<details>
<summary>英文:</summary>
I am using FireCMS for my Firestore and have set up Google authentication. To secure my data, I only wish to grant access to Google users that are part of the Firebase project. I'd also like to avoid listing user emails one by one, if possible.
Here's what I tried so far:
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents/{document=**} {
allow read, write: if request.auth != null &&
request.auth.token.firebase != null &&
request.auth.token.firebase.identities["google.com"] != null;
}
}
But this gives access to all Google accounts, not just those that have been invited to my Firebase project.
</details>
# 答案1
**得分**: 2
没有办法从用户的Firebase ID令牌中的信息确定用户是否是Firebase项目的合作者。安全规则也无法访问您的Firebase项目的信息。
我能想到的唯一选择是:
- 如果您使用 Identity Platform,您可能可以[禁用注册](https://console.firebase.google.com/project/_/authentication/settings),只保留登录功能。然后在将他们添加到项目后,您可以预先为每个合作者创建一个帐户。
- 在合作者的令牌中包含一个自定义声明,然后您的安全规则进行检查。如果您不想自己编写代码,您可以考虑使用允许您通过Firestore[设置Auth声明的扩展](https://github.com/FirebaseExtended/experimental-extensions/tree/next/firestore-auth-claims)。
- 在您的Firestore数据库中包含每个合作者的信息,然后在您的安全规则中从那里查找,类似于[获取用户规则的此示例](https://firebase.google.com/docs/firestore/security/rules-conditions#access_other_documents)。
<details>
<summary>英文:</summary>
There is no way to identify that the user is a collaborator on the Firebase project from the information in their Firebase ID token. The security rules also don't have access to the information of your Firebase project.
The only options I can think of are to:
* If you use Identity Platform, you may be able to [disable sign-up](https://console.firebase.google.com/project/_/authentication/settings) - and only leave sign-in enabled. You could then pre-create an account for each collaborator, after you add them to the project.
* Include a custom claim in the token of collaborators, that your security rules then check for. If you don't want to write the code for this yourself, you can consider using extension that let's you [set Auth claims through Firestore](https://github.com/FirebaseExtended/experimental-extensions/tree/next/firestore-auth-claims).
* Include information about each collaborator in your Firestore database, and then look it up from there in your security rules, similar to this example on [getting user rules](https://firebase.google.com/docs/firestore/security/rules-conditions#access_other_documents).
</details>
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论