Firebase实时数据库规则-允许多个用户访问以列出所有消息
[英]Firebase realtime database rules - Allow multiple user access to list all messages
问题描述
I would like to give multiple users access to fetch a collection of "messages" they have access to in Firebase Realtime database. 
我想给多个用户访问以获取他们在Firebase Realtime数据库中可以访问的“消息”集合。 The database fetch would read "/messages" and return a collection of all messages the user has access to. 数据库提取将读取“ / messages”,并返回用户有权访问的所有消息的集合。 Database structure looks like this: 数据库结构如下所示:
"messages" : {
"-L123456789": {
"access": {
"author": "user-one-id-987654"
"assigned-user-id-1234": "assigned-user-id-1234"
}
"data" : {
"theData": "Hello world!"
}
}
}
I have created the following rule: 我创建了以下规则:
{
"rules": {
"messages": {
"$message_id": {
"data": {
".read": "
//if author or assigned user
data.parent().child('access').child('author').val() === auth.uid ||
data.parent().child('access').child(auth.uid).exists()
",
".write": "false"
}
}
}
}
However, I am not able to get a collection of all messages where I am listed as author or assigned user. 但是,当我被列为作者或指定用户时,我无法获得所有消息的集合。
What rule would allow a user listed as "author" (user-one-id-987654) or "assigned user" (assigned-user-id-1234) to get a collection of all messages they have access to by simply reading the "/messages/" database path? 通过什么规则,被列为“作者”(user-one-id-987654)或“已分配用户”(assigned-user-id-1234)的用户只需阅读“ / messages /“数据库路径?
I am guessing a rule in the root of "messages" might be the answer? 我猜“消息”根源中的规则可能是答案?
I have tried the below rule - it grants access to all authenticated users - but I wish to only return a collection where the user is listed as "author" or "assigned user". 我尝试了以下规则-它授予所有经过身份验证的用户访问权限-但我只希望返回将用户列为“作者”或“已分配用户”的集合。
{
"rules": {
"messages": {
".read": "auth.uid !== null"
}
}
}
Kind regards /K 亲切的问候/ K
1 个解决方案
解决方案1
1 已采纳 2019-08-04 14:24:13
Firebase server-side security rules can not be used to filter data. Firebase服务器端安全规则不能用于过滤数据。 When you attach a listener to the database, the server checks if that listener is guaranteed to always meet the rules (no matter what the data). 将侦听器附加到数据库时,服务器将检查该侦听器是否保证始终满足规则(无论数据如何)。 If it doesn't meet the rules, the listener is rejected right away. 如果不符合规则,则立即拒绝侦听器。
So if you attach a listener to /messages , the server checks if you have read permission to /messages . 因此,如果将侦听器附加到/messages ,服务器将检查您是否具有/messages读取权限。 And since you don't, it rejects the listener. 而且由于您不这样做,它会拒绝侦听器。
If you want to allow the user to read messages of which they're the owner you'll need two things: 如果要允许用户阅读他们是所有者的邮件,则需要两件事:
- A query that only retrieves the messages that the user owns. 仅检索用户拥有的消息的查询。
- Security rules that ensure only that query is allowed. 确保仅允许查询的安全规则。
For more on this, see the Firebase documentation on securely querying data and the blog post introducing this feature . 有关更多信息,请参阅有关安全查询数据的Firebase 文档和介绍此功能的博客文章 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.