堆栈内存溢出
  简体   繁体   English

Firebase数据库安全规则

[英]Firebase database security rules

 原文  2016-05-19 11:03:50       security/ firebase/ firebase-realtime-database

问题描述

I am really struggling with firebase database security rules. 我真的在努力使用firebase数据库安全规则。

I am working on a simple app, where users can maintain a list of records, which anyone can read but only the user who created the record can edit or delete. 我正在开发一个简单的应用程序,用户可以在其中维护记录列表,任何人都可以阅读,但只有创建记录的用户才能编辑或删除。

Just consider it like a todo app, where authenticated users can manage list of tasks. 只需将其视为todo应用程序,经过身份验证的用户可以管理任务列表。 Users can read each others task list but only the user who created the task can delete or edit it. 用户可以阅读彼此的任务列表,但只有创建任务的用户才能删除或编辑它。

I have tried different options but failed to come up with correct security policy. 我尝试了不同的选项但未能提出正确的安全策略。

Is there any example I can follow or any recommendation on how to structure the data to simplify security policy ? 是否有任何我可以遵循的示例或有关如何构建数据以简化安全策略的任何建议?

Sample security rule 示例安全规则

I have tried something like this - 我尝试过这样的事情 - 

"rules": {
"records" : {
  ".read" : true,
    "$user_id": {
         ".write": "auth.uid === $user_id"
        }
    }
  }
}

So that anyone can read records but only logged in user with matching user_id should be able to add, edit or delete a record. 这样任何人都可以读取记录,但只有登录用户匹配的user_id应该能够添加,编辑或删除记录。

However, when I try a write action in simulator, I always get write denied error. 但是,当我在模拟器中尝试写入操作时,我总是得到写入拒绝错误。 I am passing the auth uid as "user_id" in request body/data. 我在请求正文/数据中将auth uid作为“user_id”传递。

I have also tried 我也试过了 

{
 "rules": {
 "records" : {
   ".read" : true,
    ".write": "auth.uid === data.child('user_id').val()"
     }
   }
}

2 个解决方案

解决方案1
 3  2016-05-19 11:17:04

I found this in the documentation. 我在文档中找到了这个。 The node users has childs stored with auth.uid as a key. 节点用户将使用auth.uid存储的子项作为键。 So you basicly compare the users uid to the key before writing to that entry: 因此,在写入该条目之前,您基本上将用户uid与密钥进行比较: 

{
  "rules": {
    "users": {
      "$user_id": {
        // grants write access to the owner of this user account
        // whose uid must exactly match the key ($user_id)
        ".write": "$user_id === auth.uid",
        ".read": true
      }
    }
  }
}

https://www.firebase.com/docs/security/guide/user-security.html https://www.firebase.com/docs/security/guide/user-security.html

解决方案2
 0  2018-12-23 20:01:14

Try to add the following node -> "$record_id": {} 尝试添加以下节点 - >“$ record_id”:{} 

{
 "rules": {
 "records" : {
   "$record_id": {
      ".read" : true,
       ".write": "auth.uid === data.child('user_id').val()"
        }
      }
   }
}

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Firebase/数据库 - 版本 2 安全规则? - Firebase/Database - Version 2 Security Rules? Firebase 存储安全规则 - Firebase Storage Security Rules Firebase安全性和规则-Double- - Firebase Security & Rules -Double- Firebase 移动应用安全规则 - Firebase security rules for mobile apps Firebase 数据库加密和安全 - Firebase database encryption and security Firebase Firestore-迭代具有受限安全规则的集合 - Firebase Firestore - Iterate collection with restricted security rules 如何以编程方式修改Firebase中的安全规则? - How to programmatically modify security rules in Firebase? Firebase安全规则保护列表和公共对象 - Firebase security rules protect list and public object 匿名提交表单的Firebase安全规则(AngularFire) - Firebase security rules for an anonymous submission form (AngularFire) 如何攻击Firebase数据库规则? - How to Attack the Firebase Database Rules?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM