[英]The Firebase security rules not works
I have a problem with Firebase rules. 我对Firebase规则有疑问。 Basically I have a root folder called 'users', containing many usersIDs that again contains data, exactly like this:
基本上,我有一个名为'users'的根文件夹,其中包含许多usersID,这些ID再次包含数据,如下所示:
users {
userid1 {
info_user {
a: {
a1: whatever
a2: whatever
a3: {
a3.1: whatever
a3.2: whatever
a3.3: whatever
a3.n: whatever
}
}
n: {} ...
}
},
userid2 {}, ...n
}
Everything work fine when running the following code if there is no security rules, such: 如果没有安全规则,则在运行以下代码时,一切都会正常运行:
{rules {".read" : true, ".write" : true}}
function getUserInfo () {
var dbRef = firebase.database();
var myArray = [];
dbRef.ref('users').on('child_added', function(snapshot) {
snapshot.forEach(function(childSnapshot) {
myArray = (childSnapshot.val().a3);
// do something
});
});
}
My challenge is to change the security rules without change the database structure. 我的挑战是在不更改数据库结构的情况下更改安全规则。
So, I tried to do something like this: 所以,我试图做这样的事情:
{
"rules" : {
".read" : false,
".write" : false,
"users": {
"$userid": {
"info_user": {
"a":{
".read": "auth != null",
".write": "(root.child('r').child('w').hasChild(auth.uid))",
"a1":{".validate": "newData.isString()"},
"a2":{".validate": "newData.isString()"},
"a3":{".validate": "newData.isString()"}
},
"n": {
".read": "auth != null",
".write": "$user_id === auth.uid"
}
}
}
}
}
}
The expected result is to read a node a3 when user is authenticated. 预期结果是在验证用户身份后读取节点a3 。
How to do this? 这个怎么做?
Firebase Database read permission is enforced when you first attach a listener. 首次附加侦听器时,将强制执行Firebase数据库读取权限。 So when you attach a listener to
dbRef.ref('users')
, you must have read permission to /users
. 因此,将侦听器附加到
dbRef.ref('users')
,必须具有对/users
读取权限。 In your security rules that is not the case. 在您的安全规则中并非如此。
To make the rules work, move the read permission up to `users: 要使规则生效,请将读取权限上移至`users:
{
"rules" : {
"users": {
".read" : "auth != null",
...
Note that permission cascades down. 请注意,权限会逐渐降低。 So once you grant the user read permission on
/users
, they have access to all data under /users
. 因此,一旦您授予用户对
/users
读取权限,他们就可以访问/users
下的所有数据。 You cannot take this permission away for a specific node under there. 您不能取消此位置下特定节点的许可。
This leads to one of the pitfalls of securing your Firebase Database: rules cannot be used to filter data. 这导致保护Firebase数据库的陷阱之一:规则不能用于过滤数据。 For more on this, see the Firebase documentation on "rules are not filters" , this answer about it and many more of the questions from developers struggling with the concept .
有关更多信息,请参阅Firebase文档“规则不是过滤器” ,有关此问题的答案以及开发人员在与该概念苦苦挣扎中提出的更多问题 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.