如果有很多请求,下面的 Firestore 安全规则的成本是多少?我特别担心由于恶意攻击而产生的不需要的请求。 没有将文档直接读入 Firestore 的规则。
firestore.rulesrules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
function isUserAuthenticated() {
return request.auth != null;
}
function isUserDocumentOwner() {
return (
isUserAuthenticated() &&
(
request.auth.uid == resource.data.userId ||
request.auth.uid == request.resource.data.userId ||
request.auth.uid == resource.id ||
request.auth.uid == request.resource.id
)
);
}
function isEnterpriseEmployee() {
return (
isUserAuthenticated() &&
(
resource.data.enterpriseId == request.auth.token.enterpriseId ||
request.resource.data.enterpriseId == request.auth.token.enterpriseId ||
resource.id == request.auth.token.enterpriseId ||
request.resource.id == request.auth.token.enterpriseId
)
);
}
function isEnterpriseAdmin() {
return (
isUserAuthenticated() &&
request.auth.token.teamIds is list &&
string(request.auth.token.adminTeamId) in request.auth.token.teamIds
);
}
function isAdminTeamDocument (teamId) {
return teamId == request.auth.token.adminTeamId;
}
match /users/{userId} {
allow get, update: if isUserDocumentOwner() || isEnterpriseAdmin();
allow list, create: if isEnterpriseAdmin();
allow delete: if false; // Firebase Admin SDK only
}
match /teams/{teamId} {
allow get: if isEnterpriseEmployee();
allow list, create, update: if isEnterpriseAdmin();
allow delete: if isEnterpriseAdmin() && !isAdminTeamDocument(teamId); // Do not delete the admin team document
}
match /enterprises/{enterpriseId} {
allow get: if isEnterpriseEmployee();
allow update: if isEnterpriseAdmin();
allow list, create, delete: if false; // Firebase Admin SDK only
}
// Firebase Admin SDK only
match /{document=**} {
allow read, write: if false;
}
}
}
不读取或引用 Firestore 数据的安全规则不会产生任何成本。 您可以在文档中查看记录的安全规则成本。
使用
resourceresourceresource.data.enterpriseId == request.auth.token.enterpriseId
另请参阅:Firestore 安全规则:使用 request.resource.data.__field__ != resource.data.__field__?
的成本