【发布时间】:2019-01-23 17:50:08
【问题描述】:
我有一个带有几个根节点的 firebase 数据库结构(对于这个问题,只有几个很重要):buildings 和 buildingsUserId(buildingsUserUid 的意图 是控制用户访问他们的建筑物和只访问他们的建筑物)。
如果我们更深入地研究两个节点的结构,我们会得到以下信息:
users
`-- userID // one user can access this
| `-- isAdmin
| `-- building pushkey
| `-- another building pushkey etc.
`-- another userID // one user can access this
| `-- isAdmin
| `-- building pushkey
| `-- another building pushkey etc.
`-- another user UID etc.
buildingsUserUid
`-- firebase user UID // one user can access this
| `-- building pushkey
| `-- another building pushkey
`-- another firebase user UID // another user can access this
`-- yet another building pushkey
`-- and another building pushkey etc.
buildings
`-- building pushkeys // user with right UID can access this
| |-- firebase user UID
| `-- Other data
`-- building pushkeys //another user with right UID can access this
|-- firebase user UID
`-- Other data
那么我的firebase规则是这样的:
{
"rules": {
"users": {
"$uid": {
".read": "auth.uid == $uid",
".write": "auth != null && $uid === auth.uid",
}
},
"buildings": {
".read": "root.child('buildingsUserUid').hasChild(auth.uid)",
".write": "!data.exists() || root.child('buildingsUserUid').hasChild(auth.uid)",
"$pushkey": {
".read": "root.child('buildingsUserUid').child(auth.uid).hasChild($pushkey)",
".write": "!data.exists() || root.child('buildingsUserUid').child(auth.uid).hasChild($pushkey)",
}
},
"buildingsUserUid": {
"$user": {
".read": "auth != null && auth.uid === $user",
".write": "auth != null && auth.uid === $user"
}
},
}
通过上述规则,我希望将访问建筑物节点的权限仅限于在其 buildingUserUid 节点上拥有建筑物按钮的用户。但是,如果我 console.log(this) 在我的 vue.js 应用程序上,我可以看到所有建筑物。
这是因为我正在从应用程序记录 this,还是用户能够以相同的方式从浏览器控制台访问 this?我的规则是否遗漏了什么?
更新:
根据@Umar 的回答,我已将规则更改为:
{
"rules": {
"users": {
"$uid": {
".read": "auth.uid == $uid",
".write": "auth != null && $uid === auth.uid",
}
},
"buildings": {
".read": "root.child('buildingsUserUid').hasChild(auth.uid)",
".write": "!data.exists() || root.child('buildingsUserUid').hasChild(auth.uid)",
"$pushkey": {
// changed the following 'read' rule line
".read": "root.child('buildingsUserUid').child($pushkey).child('userId') === auth.uid"
".write": "!data.exists() || root.child('buildingsUserUid').child(auth.uid).hasChild($pushkey)",
}
},
"buildingsUserUid": {
"$user": {
".read": "auth != null && auth.uid === $user",
".write": "auth != null && auth.uid === $user"
}
},
}
但这会触发错误:
错误保存规则 - 第 15 行:无效 == 表达式:左操作数不是数字、布尔值、字符串、空值。 ——
有什么想法吗?
【问题讨论】:
标签: javascript firebase-realtime-database vuejs2 firebase-security