[英]Firebase hierarchy security rules
I have a problem restricting access to the children of the object我在限制访问 object 的孩子时遇到问题
The rules I need:我需要的规则:
roles - read
-- UID
--- SUPUSR
---- settings = read only
--- store = write and read
My rules我的规则
"roles":{
".read":"auth != null",
".write":"root.child('roles/SUPUSR/').child(auth.uid).child('settings').child('pri_enabled').val() == 1 || root.child('roles/USERS/').child(auth.uid).child('settings').child('pri_enabled').val() == 1",
"settings":{
".read":"auth != null",
".write":false
}
If I leave it the way it is above, it inherits the "roles" rules for writing如果我按照上面的方式保留它,它会继承“角色”的写作规则
Firebase Realtime Database Rules cascade , once you grant permission, you cannot revoke it . Firebase 实时数据库规则级联,一旦您授予权限,您就无法撤销它。 So if you allow write access on
/roles
, anyone can write to any child of /roles
whether it's their own or someone else's data.因此,如果您允许对
/roles
进行写入访问,那么任何人都可以写入/roles
的任何子项,无论是他们自己的数据还是其他人的数据。
Other notes:其他注意事项:
/roles
and /roles/settings
, which is too high in the database tree, you should be setting the rules of /roles/SUPUSR/someUserId
, /roles/SUPUSR/someUserId/settings
and so on./roles
和/roles/settings
,在数据库树中太高了,您应该设置/roles/SUPUSR/someUserId
, /roles/SUPUSR/someUserId/settings
等规则。auth != null
seems out of place.auth != null
似乎不合适。 Should any logged in user be able to read any other user's roles?{
"rules": {
"roles": {
"SUPUSR": {
"$uid": {
// any data under /roles/SUPUSR/$uid is readable to logged in users
".read": "auth != null",
"nome": {
// only this user can update nome, it also must be a string
".write": "auth.uid === $uid",
".validate": "newData.isString()"
},
"role": {
// only this user can update role, and it must be one of a select number of string values
".write": "auth.uid === $uid",
".validate": "newData.isString() && newData.val().matches(/^(R&S|Admin|etc)$/)"
},
"store": {
".write": "root.child('roles/SUPUSR/').child(auth.uid).child('settings').child('pri_enabled').val() == 1 || root.child('roles/USERS/').child(auth.uid).child('settings').child('pri_enabled').val() == 1"
}
// any other keys are ".write": false, by default, which includes "settings"
}
}, // end /rules/roles/SUPUSR
"USERS": {
"$uid": {
...
}
}, // end /rules/roles/USERS
...
}, // end /rules/roles
...
}
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.