堆栈内存溢出
  简体   繁体   English

Firebase-如何限制通过身份验证的用户对某些路径的访问?

[英]Firebase - how to restrict authenticated user's access to certain paths?

 原文  2018-03-12 22:30:32       javascript/ firebase-realtime-database/ firebase-authentication/ firebase-security-rules

问题描述

Simple enough question: 足够简单的问题:

How do I restrict paths, such as... 我如何限制路径,例如...

/orders/<userid>

/cart/<userid>

/transactions/<userid>/txid

...only to users whose userid matches the one in the path? ...仅适用于其userid与路径中的userid匹配的用户?

I have authentication set up and I need to subscribe to some of these in Vue after firebase.auth().onAuthStateChanged 我已经设置了身份验证,并且需要在firebase.auth().onAuthStateChanged之后在Vue中订阅其中的一些身份验证

It appears, as per the docs here, that in the following rule example, the user token must match the key exactly: 根据此处的文档,似乎在以下规则示例中,用户令牌必须与密钥完全匹配: 

{
  "rules": {
    "users": {
      "$user_id": {
        // grants write access to the owner of this user account
        // whose uid must exactly match the key ($user_id)
        ".write": "$user_id === auth.uid"
      }
    }
  }
}

Does this mean that, /orders/123456/order123478 will be restricted and only available to user 123456 ? 这是否意味着/orders/123456/order123478将受到限制,仅对123456用户可用?

1 个解决方案

解决方案1
 1 已采纳  2018-03-12 22:42:39

For the realtime database, update your rules to something like this: 对于实时数据库,将规则更新为以下内容: 

{
  "rules": {
    "orders": {
      "$uid": {
        ".read": "auth.uid == $uid",
        ".write": "auth.uid == $uid"
      }
    }
  }
}

The $uid key represents any key nested at that level and allows you to reference it in your rules. $uid键表示嵌套在该级别的任何键,并允许您在规则中引用它。 The auth variable is provided by Firebase and contains details about the authenticated user who issued the request, so you can compare the requesting user's uid with the database's uid key and grant permissions if they match (the nested ".read" and ".write" values). auth变量由Firebase提供,包含有关发出请求的经过身份验证的用户的详细信息,因此您可以将请求用户的uid与数据库的uid密钥进行比较,并在匹配时授予权限(嵌套的".read"".write"值)。

So for a user who's uid is user1 , they would have access to the following data: 因此,对于uiduser1 ,他们将有权访问以下数据: 

{
  "orders": {
    "user1": {
      "order1": read/write,
      "order2": read/write
    },
    "user2": {
      "order1": no access,
      "order2": no access
    },
    "user3": {
      "order1": no access,
      "order2": no access
    },
}

Read the documentation and play around with the simulator found in the Rules section of the Firebase dashboard. 阅读文档,并试用Firebase仪表板“规则”部分中的模拟器。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何让提供商从Firebase经过身份验证的用户访问令牌? - How to get providers access tokens from Firebase authenticated user? 使用 if 语句确定 Firebase 用户是否可以访问某些 React Router 路径 - Using if statement to determine if a Firebase User can access certain React Router paths Firebase:成功通过电子邮件登录后,如何使用Firebase API获取经过身份验证的用户令牌? - Firebase: How to get authenticated user's token using firebase api after successfully logging in with email? 如何从 angular 中的 firebase 中删除经过身份验证的用户 - How to delete authenticated user from firebase in angular 用户通过cognito身份验证后,如何通过用户凭据访问s3存储桶? - How do i pass the user credential to access s3 bucket once user is authenticated by cognito? 如何限制 VueX 商店对某些页面的访问 - How to restrict VueX store access to certain pages 有没有办法获得firebase认证的github用户的用户名 - Is there a way to get a firebase-authenticated github user's username 如何只允许经过身份验证的用户(使用Cognito)访问他们自己的S3存储桶/密钥? - How do I only allow authenticated user (using cognito) access to their own S3 bucket/key specifically? Firebase限制对所有者的访问权限 - Firebase restrict access to owner Firebase 在没有用户登录的情况下限制对其他页面的访问 - Firebase Restrict Access to other pages without user logged in
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM