[英]Is it legit in firestore security rules using $(request.auth.token.email) to verify accessing users' own data?
I'm developing an app with two kinds of permission roles (admin and member).我正在开发具有两种权限角色(管理员和成员)的应用程序。 Every time an admin adds a member or another admin, he just needs to add them using their specific email address.每次管理员添加成员或其他管理员时,他只需要使用他们的特定地址 email 添加他们。 In this situation, those emails are not required whether registered or not, and also those users can be added offline.在这种情况下,无论是否注册,都不需要这些电子邮件,也可以离线添加这些用户。
The problem is when an admin tries to add a member with an email, I can't add that member user id (probably a new member) to the 'users' collection but can add using his/her email address.问题是当管理员试图添加一个 email 的成员时,我无法将该成员用户 ID(可能是一个新成员)添加到“用户”集合中,但可以使用他/她的 email 地址添加。
So, to be accessed their own data, I'm wondering whether it is recommended to use $(request.auth.token.email) instead of $(request.auth.uid) recommended in firebase security documentation.因此,要访问自己的数据,我想知道是否建议使用 $(request.auth.token.email) 而不是 firebase 安全文档中推荐的 $(request.auth.uid) 。 And also, if you have any suggestions, please let me know.另外,如果您有任何建议,请告诉我。 I am very new to firebase security rules.我对 firebase 安全规则很陌生。
match /shops/{shop} {
allow read, write:
if get(/databases/$(database)/documents/shops/$(shop)/users/$(request.auth.token.email))
.data.admin == true;
}
. .
If you want to prepopulate roles before the user's are registered, going by their email address is common.如果您想在用户注册之前预填充角色,通常会使用他们的 email 地址。
You'll probably want to add a check if the email address is verified in that case, as otherwise anyone can register with one of the email addresses you have listen and gain administrative privileges.在这种情况下,您可能需要添加一个检查 email 地址是否经过验证,否则任何人都可以注册您收听的 email 地址之一并获得管理权限。
Personally I'd see the mapping from email address to role as a temporary step in this scenario, and store the permanent user record under their UID as is more common.就个人而言,我认为从 email 地址到角色的映射是这种情况下的一个临时步骤,并将永久用户记录存储在他们的 UID 下,这更常见。 You can even do that client-side, by allowing the user to write the role to their own profile as long as it matches what you have in the email-to-role mapping collection.您甚至可以在客户端执行该操作,方法是允许用户将角色写入他们自己的配置文件,只要它与您在电子邮件到角色映射集合中的内容相匹配即可。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.