如何将对文件的访问限制为组成员? [英] How to restrict access to files to group members?

问题描述

我有一个聊天应用程序，用户可以在其中进行私人聊天或群聊.每个私人或小组聊天均具有唯一的聊天ID:/images/<chat id>/image.jpg

I have a chat app where users can send photos in private or group chats. Each private or group chat has a unique chat id: /images/<chat id>/image.jpg

如何保护访问此文件的权限，以便只有聊天成员才能查看它们?在Firebase database中，我有一个具有类似/members/<chat id>/member1: true的结构的节点.

How would one secure the access to this files so that only the chat members can view them? In the Firebase database I have a node with a structure like: /members/<chat id>/member1: true.

由于链接仅发布到相应的聊天中，因此这真的有必要吗? 任何经过身份验证的用户都可以实际浏览保存在Firebase storage中的文件吗?还是这是设计使然?

Is this actually necessary, since the links are only posted to the corressponding chats? Can any authed user actually browse through the files saved in the Firebase storage? Or is this prevented by design?

推荐答案

永恒的问题.讨论了一些地方(存储文档， Github Gist )，但TL; DR是:目前，无法从一个数据库读取数据在另一个规则中服务.对于服务，您可以执行以下两项操作之一:

The eternal question. It's discussed a few places (Google Group, Storage Docs, Github Gist), but the TL;DR is: at present, there's no way to read data from one service in the Rules of another. For services, you can do one of two things:

• 使用自定义令牌传达组信息
• 在服务的自定义元数据中传达组信息

一个例子:

// Allow reads if the group ID in your token matches the file metadata's `owner` property
// Allow writes if the group ID is in the user's custom token
match /files/{groupId}/{fileName} {
  allow read: if resource.metadata.owner == request.auth.token.groupId;
  allow write: if request.auth.token.groupId == groupId;
}

这篇关于如何将对文件的访问限制为组成员?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！