堆栈内存溢出
  简体   繁体   English

Firebase 层次结构安全规则

[英]Firebase hierarchy security rules

 原文  2021-03-23 12:54:22       firebase/ firebase-realtime-database/ firebase-security

问题描述

I have a problem restricting access to the children of the object我在限制访问 object 的孩子时遇到问题我的数据库

The rules I need:我需要的规则:

roles - read
-- UID
--- SUPUSR
---- settings =  read only
--- store  = write and read

My rules我的规则

      "roles":{
     ".read":"auth != null",
     ".write":"root.child('roles/SUPUSR/').child(auth.uid).child('settings').child('pri_enabled').val() == 1 || root.child('roles/USERS/').child(auth.uid).child('settings').child('pri_enabled').val() == 1",
     "settings":{
        ".read":"auth != null",
        ".write":false
     }

If I leave it the way it is above, it inherits the "roles" rules for writing如果我按照上面的方式保留它,它会继承“角色”的写作规则

1 个解决方案

解决方案1
 2 已采纳  2021-03-23 14:29:25

Firebase Realtime Database Rules cascade , once you grant permission, you cannot revoke it . Firebase 实时数据库规则级联,一旦您授予权限,您就无法撤销它 So if you allow write access on /roles , anyone can write to any child of /roles whether it's their own or someone else's data.因此,如果您允许对/roles进行写入访问,那么任何人都可以写入/roles的任何子项,无论是他们自己的数据还是其他人的数据。

Other notes:其他注意事项:

  • The current rules affect /roles and /roles/settings , which is too high in the database tree, you should be setting the rules of /roles/SUPUSR/someUserId , /roles/SUPUSR/someUserId/settings and so on.当前规则影响/roles/roles/settings ,在数据库树中太高了,您应该设置/roles/SUPUSR/someUserId/roles/SUPUSR/someUserId/settings等规则。
  • The use of auth != null seems out of place.使用auth != null似乎不合适。 Should any logged in user be able to read any other user's roles?任何登录用户都应该能够读取任何其他用户的角色吗? Should this only work for super users?这应该只适用于超级用户吗?
  • Some of the data would also make sense to be validated .一些数据也将是有意义的验证
{
  "rules": {
    "roles": {
      "SUPUSR": {
        "$uid": {
          // any data under /roles/SUPUSR/$uid is readable to logged in users
          ".read": "auth != null", 

          "nome": {
            // only this user can update nome, it also must be a string
            ".write": "auth.uid === $uid",
            ".validate": "newData.isString()"
          },
          "role": {
            // only this user can update role, and it must be one of a select number of string values
            ".write": "auth.uid === $uid",
            ".validate": "newData.isString() && newData.val().matches(/^(R&S|Admin|etc)$/)"
          },
          "store": {
            ".write": "root.child('roles/SUPUSR/').child(auth.uid).child('settings').child('pri_enabled').val() == 1 || root.child('roles/USERS/').child(auth.uid).child('settings').child('pri_enabled').val() == 1"
          }
          // any other keys are ".write": false, by default, which includes "settings"
        }
      }, // end /rules/roles/SUPUSR
      "USERS": {
        "$uid": {
          ...
        }
      }, // end /rules/roles/USERS
      ...
    }, // end /rules/roles
    ...
  }
}

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Firebase规则安全警告 - Firebase rules security warning Firebase安全规则不起作用 - The Firebase security rules not works Firebase安全规则不起作用 - Firebase security rules not works Firebase 安全规则 - Unity - Firebase Security Rules - Unity Firebase 安全规则 (.read) - Firebase security rules (.read) Firebase 安全规则混乱 - Firebase security rules confusion Firebase中的安全规则 - Security rules in Firebase Firebase数据库安全规则 - Firebase database security rules 使用通配符的Firebase安全规则 - Firebase security rules with wildcards Firebase安全规则? - Firebase Security Rules?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM