Security Rules
Security Rules is the document-level permission control feature of CloudBase Database, which precisely controls read and write permissions for each piece of data through custom expressions.
Configuration Entry
In Cloud Development Platform/Document Database/Collection Management, select "Permission Management" and click "Switch to Security Rules".
Basic Syntax
{
"read": "expression", // Read permission control expression
"write": "expression" // Write permission control expression
}
⚠️ Note: Frontend query conditions must be a subset of security rules, otherwise access will be denied. When security rules use
doc.fieldName, query conditions must include the corresponding field.
Common Templates
- Owner Only Read/Write
- Public Read, Owner Write
- Status-Based Control
- Cross-Platform Compatible
{
"read": "doc._openid == auth.openid",
"write": "doc._openid == auth.openid"
}
// Query documents created by current user
db.collection('articles').where({
_openid: '{openid}'
}).get()
{
"read": true,
"write": "doc._openid == auth.openid"
}
// Read all documents
db.collection('articles').get()
// Update documents created by yourself
db.collection('articles').where({
_openid: '{openid}'
}).update({ title: 'Updated Title' })
{
"read": "doc.published == true || doc.author == auth.openid",
"write": "doc.author == auth.openid"
}
// Query published documents
db.collection('articles').where({
published: true
}).get()
// Query all your own documents
db.collection('articles').where({
author: '{openid}'
}).get()
{
"read": "doc.userId == auth.openid || doc.userId == auth.uid",
"write": "doc.userId == auth.openid || doc.userId == auth.uid"
}
💡 Note: Mini-program uses
auth.openid, Web usesauth.uid. Using{openid}variable in queries will automatically adapt.
{openid} Variable
You can use the string constant {openid} in query conditions, and the system will automatically replace it with the corresponding user identity (Mini-program uses openid, Web uses uid).
// Use {openid} variable to query current user data
db.collection('articles').where({
author: '{openid}'
}).get()
Expression Syntax
Built-in Variables
| Variable Name | Description | Example |
|---|---|---|
| auth | User login information | auth.openid, auth.uid |
| doc | Document data or query fields | doc.userId, doc.status |
| now | Current timestamp | now > doc.expireTime |
Operators
| Operator | Description | Example |
|---|---|---|
| == | Equal | auth.openid == doc.userId |
| != | Not equal | doc.status != 'deleted' |
| in | Contains | auth.openid in doc.editors |
| && | Logical AND | auth.openid == doc.userId && doc.published |
| || | Logical OR | auth.openid == doc.userId \|\| doc.public |
Operation Types
| Operation | Description | Default Value |
|---|---|---|
| read | Read document | false |
| write | Write document | false |
| create | Create document | Inherits write |
| update | Update document | Inherits write |
| delete | Delete document | Inherits write |
get Function
Used for cross-document permission verification, syntax: get('database.collectionName.documentID')
{
"read": "auth.openid in get(`database.room.${doc.roomId}`).members"
}
When using the get function, query conditions must include the referenced field, otherwise it will return a DATABASE_PERMISSION_DENIED error.
Correct Example:
// Query conditions include roomId field
db.collection('messages').where({
roomId: 'room123'
}).get()
Incorrect Example:
// Missing roomId field, will return permission denied error
db.collection('messages').where({
_id: 'msg123'
}).get()
Limitations:
- Query conditions must include the
docfield referenced in thegetfunction - Array length in
inoperator must be 1 - Maximum 3
getfunctions per expression - Maximum nesting depth of 2 levels
- Each
getfunction generates one database read operation
Application Scenarios
Article Publishing System
{
"read": "doc.published == true || doc.author == auth.openid || doc.author == auth.uid",
"update": "doc.author == auth.openid || doc.author == auth.uid",
"delete": "(doc.author == auth.openid || doc.author == auth.uid) && doc.published == false"
}
// Query published articles
db.collection('articles').where({ published: true }).get()
// Query your own articles
db.collection('articles').where({ author: '{openid}' }).get()
// Update your own articles
db.collection('articles').where({
author: '{openid}',
_id: 'article123'
}).update({ title: 'Updated Title' })
Collaborative Document System
{
"read": "auth.openid in doc.readers || auth.uid in doc.readers || auth.openid in doc.editors || auth.uid in doc.editors || doc.owner == auth.openid || doc.owner == auth.uid",
"write": "auth.openid in doc.editors || auth.uid in doc.editors || doc.owner == auth.openid || doc.owner == auth.uid",
"delete": "doc.owner == auth.openid || doc.owner == auth.uid"
}
// Query documents with read permission
db.collection('documents').where(_.or([
{ readers: _.in(['{openid}']) },
{ editors: _.in(['{openid}']) },
{ owner: '{openid}' }
])).get()
Group Chat System
Message Collection:
{
"read": "auth.openid in get(`database.room.${doc.roomId}`).members",
"create": "auth.openid in get(`database.room.${doc.roomId}`).members",
"update": "auth.openid == doc.sender"
}
// Query room messages (must include roomId)
db.collection('messages').where({
roomId: 'room123'
}).get()
Room Collection:
{
"read": "auth.openid in doc.members",
"write": "doc.owner == auth.openid"
}
// Query joined rooms
db.collection('rooms').where({
members: _.in(['{openid}'])
}).get()