问题描述

如何检查客户端上的用户是否仅使用firebase.firestore.FieldValue.serverTimestamp()创建文档?

How do I check if user on client sided created document with only firebase.firestore.FieldValue.serverTimestamp()?

我有以下内容:

allow create: if request.resource.data.timestamp == ??

我应该拥有什么而不​​是??.我已经尝试过serverTimestamp() firebase.firestore.FieldValue.serverTimestamp()，now或now()，但是它不起作用.

What should I have instead of ??. I have tried serverTimestamp() firebase.firestore.FieldValue.serverTimestamp(), now or now() but it doesn't work.

可以在Firebase中这样进行:

It is possible to do it in Firebase like this:

".validate": "newData.child('timestamp').val() === now"

我正在寻找相同的解决方案.有任何想法吗?谢谢

I am looking for the same solution. Any ideas? Thanks

推荐答案

您可以使用request.time属性( docs )，即与实时数据库now等效的Firestore.因此，您需要类似的东西:

You can access the current request timestamp in Security Rules using the request.time attribute (docs), which is the Firestore equivalent to the Realtime Databases's now. You'll therefore want something like:

allow create: if request.resource.data.timestamp == request.time;

对于serverTimestamp()，该值应为true.

For serverTimestamp() this should evaluate to true.

即使您正在使用serverTimestamp()，您也应始终验证安全规则"中的客户端输入.安全规则不会自动知道服务器会输入值而不是客户端来输入，因此，如果没有此检查，恶意客户端可能会同时创建一个不同的内容.

You should always validate client input in Security Rules, even if you're using serverTimestamp(). Security Rules doesn't automatically know the server input the value instead of the client, so without this check, a malicious client could create a different created at time.

这篇关于Firestore安全规则:如果时间戳记(FieldValue.serverTimestamp)现在等于的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！