Firebase 层次结构安全规则
Firebase hierarchy security rules
我在限制访问对象的子项时遇到问题
我需要的规则:
roles - read
-- UID
--- SUPUSR
---- settings = read only
--- store = write and read
我的规则
"roles":{
".read":"auth != null",
".write":"root.child('roles/SUPUSR/').child(auth.uid).child('settings').child('pri_enabled').val() == 1 || root.child('roles/USERS/').child(auth.uid).child('settings').child('pri_enabled').val() == 1",
"settings":{
".read":"auth != null",
".write":false
}
如果我按上面的方式保留它,它会继承“角色”的书写规则
Firebase 实时数据库规则cascade,一旦授予权限,您将无法撤消它。因此,如果您允许对 /roles 进行写访问,任何人都可以向 /roles 的任何子级写入数据,无论是他们自己的数据还是其他人的数据。
其他说明:
- 当前规则影响
/roles和/roles/settings,这在数据库树中太高了,你应该设置/roles/SUPUSR/someUserId、/roles/SUPUSR/someUserId/settings等规则上。
auth != null 的使用似乎不合适。任何登录用户都应该能够读取任何其他用户的角色吗?这应该只适用于超级用户吗?- 一些数据也有意义 validated。
{
"rules": {
"roles": {
"SUPUSR": {
"$uid": {
// any data under /roles/SUPUSR/$uid is readable to logged in users
".read": "auth != null",
"nome": {
// only this user can update nome, it also must be a string
".write": "auth.uid === $uid",
".validate": "newData.isString()"
},
"role": {
// only this user can update role, and it must be one of a select number of string values
".write": "auth.uid === $uid",
".validate": "newData.isString() && newData.val().matches(/^(R&S|Admin|etc)$/)"
},
"store": {
".write": "root.child('roles/SUPUSR/').child(auth.uid).child('settings').child('pri_enabled').val() == 1 || root.child('roles/USERS/').child(auth.uid).child('settings').child('pri_enabled').val() == 1"
}
// any other keys are ".write": false, by default, which includes "settings"
}
}, // end /rules/roles/SUPUSR
"USERS": {
"$uid": {
...
}
}, // end /rules/roles/USERS
...
}, // end /rules/roles
...
}
}
我在限制访问对象的子项时遇到问题
我需要的规则:
roles - read
-- UID
--- SUPUSR
---- settings = read only
--- store = write and read
我的规则
"roles":{
".read":"auth != null",
".write":"root.child('roles/SUPUSR/').child(auth.uid).child('settings').child('pri_enabled').val() == 1 || root.child('roles/USERS/').child(auth.uid).child('settings').child('pri_enabled').val() == 1",
"settings":{
".read":"auth != null",
".write":false
}
如果我按上面的方式保留它,它会继承“角色”的书写规则
Firebase 实时数据库规则cascade,一旦授予权限,您将无法撤消它。因此,如果您允许对 /roles 进行写访问,任何人都可以向 /roles 的任何子级写入数据,无论是他们自己的数据还是其他人的数据。
其他说明:
- 当前规则影响
/roles和/roles/settings,这在数据库树中太高了,你应该设置/roles/SUPUSR/someUserId、/roles/SUPUSR/someUserId/settings等规则上。 auth != null的使用似乎不合适。任何登录用户都应该能够读取任何其他用户的角色吗?这应该只适用于超级用户吗?- 一些数据也有意义 validated。
{
"rules": {
"roles": {
"SUPUSR": {
"$uid": {
// any data under /roles/SUPUSR/$uid is readable to logged in users
".read": "auth != null",
"nome": {
// only this user can update nome, it also must be a string
".write": "auth.uid === $uid",
".validate": "newData.isString()"
},
"role": {
// only this user can update role, and it must be one of a select number of string values
".write": "auth.uid === $uid",
".validate": "newData.isString() && newData.val().matches(/^(R&S|Admin|etc)$/)"
},
"store": {
".write": "root.child('roles/SUPUSR/').child(auth.uid).child('settings').child('pri_enabled').val() == 1 || root.child('roles/USERS/').child(auth.uid).child('settings').child('pri_enabled').val() == 1"
}
// any other keys are ".write": false, by default, which includes "settings"
}
}, // end /rules/roles/SUPUSR
"USERS": {
"$uid": {
...
}
}, // end /rules/roles/USERS
...
}, // end /rules/roles
...
}
}