简介 | uni-app

# Introduction

**This document is the description of supporting permissions for Tencent Cloud custom login. This usage is not recommended in uniCloud, see details. **

If you want to delete cloud storage directly on the front end, a set of permission rules is required for data security. Developers can customize security rules on the uniCloud web console to limit the access rights of clients to cloud storage. This document mainly introduces how to configure security rules and related instructions on expressions.

Notice

Permission control is only for clients

# Security rules example

Rules example

// cloud storage
// Readable by everyone, only writable by the creator
{
  "read": true,
  "write": "resource.openid == auth.uid"
}
// Readable by non-anonymous users, writable only by the creator
{
  "read": "auth.loginType != 'ANONYMOUS'",
  "write": "resource.openid == auth.uid"
}

The above json configuration is explained as follows:

key: refers to the user's operation type.
value: refers to an expression.

# Configuration instructions

Developers can set cloud storage permissions in the uniCloud console. As shown in the figure below, you can use the default four rules, or click Switch to security rules to configure the permission rules in JSON format by yourself.

About the creator

If the cloud token is not used, the user will be logged in anonymously every time the client is opened, that is, the user will have a temporary identity every time. If a user uploads a file under a temporary identity, the creator of the file is the temporary identity, and the temporary identity obtained by the user reopening the app cannot be guaranteed to be the same as the last temporary identity. If you need to configure creator permissions, it is recommended to use cloud token.

# Cloud storage operation type

Operation Type	Description	Default Value
read	Read a file, eg: getTempFileURL	-
write	upload/overwrite files, delete files	-

# expression

Expressions are pseudo-code statements and cannot be too long when configured.

# variables

Global variable

variable name	type	description
auth	object	User login information, see below for field descriptions
now	number	timestamp of the current time
resource	object	Cloud Storage Resources
doc	any	Database document resources (database permission configuration is not currently open)

auth

Field Name	Type	Description
loginType	string	Login method, the value is ANONYMOUS (anonymous login), CUSTOM (custom login)
uid	string	User unique ID (corresponding to resource.openid of cloud storage), see the example below

resource

Field Name	Type	Description
openid	string	User unique ID of the resource creator

// cloud storage
{
  "read": "resource.openid == auth.uid", //仅创建者可读
  "write": "resource.openid == auth.uid" //仅创建者可写
}

# operator

Operator	Description	Example	Example Explanation (Set Query)
==	Equal to	auth.uid == 'zzz'	User's uid is zzz
!=	Not equal to	auth.uid != 'zzz'	User's uid is not zzz
>	Greater than	doc.age>10	The age attribute of the query condition is greater than 10
>=	Greater than or equal to	doc.age>=10	The age attribute of the query condition is greater than or equal to 10
<	Less than	doc.age>10	The age attribute of the query condition is less than 10
<=	Less than or equal to	doc.age>=10	The age attribute of the query condition is less than or equal to 10
in	Exists in the collection	auth.uid in ['zzz','aaa']	User's uid is one of ['zzz','aaa']
!(xx in [])	does not exist in the set, use in to describe !(a in [1,2,3])	!(auth.uid in ['zzz','aaa'])	User's uid is not any of ['zzz','aaa']
&&	with	auth.uid == 'zzz' && resource.openid == 'xxx'	user's uid is zzz and resource's creator id is xxx
\|\|	or	auth.uid == 'zzz' \|\|auth.uid == 'xxx'	user's uid is zzz or user's uid is xxx
.	Object element accessor	auth.uid	User's uid