Firestore目前似乎不支持此方案的安全规则(感谢您对Doug Stevenson的跟踪).我想出了一种解决限制的机制，并希望在其他人正在处理此问题的情况下进行分享.它需要一个额外的查询，但使我不必为了避免安全规则而使用Admin SDK创建Web API.

It appears Firestore does not currently support security rules for this scenario at the moment (thanks for your help tracking this down Doug Stevenson). I have come up with a mechanism to work around the limitation and wanted to share in case someone else is dealing with this issue. It requires an extra query but keeps me from having to create a Web API using the Admin SDK just to get around the security rules.

帖子的存储方式如下(简化):

Posts are stored as follows (simplified):

/posts/{postId}
- userId
- timestamp
- groupIds[]
- message
- photo

现在，我要添加一个额外的帖子引用集合，该集合仅存储指针信息:

Now I am adding an additional post references collection which just stores pointer information:

/postRefs/{postId}
- userId
- timestamp
- groupIds[]

posts集合将具有安全性规则，该规则将进行所有验证，以确保用户至少在标记该帖子的组之一中. Firestore能够正确处理简单的get请求，但暂时无法正确处理list请求.

The posts collection will have security rules which does all the validation to ensure the user is in at least one of the groups in which the post is tagged. Firestore is able to handle this properly for simple get requests, just not list requests at the moment.

由于postRefs集合仅存储ID，而不存储可能包含在帖子中的敏感信息，因此可以放宽其安全规则，以便仅验证用户已登录.因此，用户将在以下位置执行帖子查询postRefs集合以检索要从posts集合延迟加载的有序postId的列表.

Since the postRefs collection stores only ID's, and not sensitive information which may be in the post, its security rules can be relaxed such that I only verify a user is logged in. So, the user will perform post queries on the postRefs collection to retrieve a list of ordered postId's to be lazily loaded from the posts collection.

客户向普通posts馆藏中添加/删除帖子，然后有一个Cloud Function将ID信息复制到postRefs馆藏中.

Clients add/delete posts to/from the normal posts collection and then there is a Cloud Function which copies the ID information over to the postRefs collection.