Firebase规则:动态授予特定用户访问权限 [英] Firebase rules: dynamically give access to a specific user

问题描述

我正在构建一个Android应用，该应用需要我为用户存储一些图片.

I'm building an Android app which requires me to store some pictures for the user.

假设我有2个用户:A和B.他们应该能够在其特定的文件夹上进行读取/写入:用户A可以对存储桶/图像/用户A进行读写，而用户B可以对存储桶/图像进行读写./userB.他们不应该访问其他任何内容.

Let's say I have 2 users: A and B. They should be able to read / write on their specific folders: user A can read and write to bucket/images/userA and user B can read and write to bucket/images/userB. They should not have access to anything else.

现在，假设用户A上传了picture1.jpg和picture2.jpg.用户A如何向用户B授予对bucket/images/userA/picture1.jpg的访问权限?用户B应该不能访问picture2.jpg.

Now let's say user A uploaded picture1.jpg and picture2.jpg. How can user A grant access to bucket/images/userA/picture1.jpg to user B? User B should not have access to picture2.jpg though.

我正在寻找可扩展到许多用户(〜100.000 +)的解决方案.我想，每当我要授予文件访问权限时，在存储规则中添加一条规则并不是一个好主意.

I'm looking for a solution that scales for many users (~100.000+). I suppose it's not a great idea to add a rule to the storage rules every time I want to give access to a file.

我现在使用的解决方案是，任何登录的人只要拥有完整的路径，就可以阅读任何内容.路径不容易猜到，当我想授予访问权限时，我提供了链接.这是足够安全的解决方案吗?我不这么认为.

The solution I use right now is anyone logged in can read anything if they have the full path to it. The path is not easy to guess and when I want to give access I provide the link. Is that a secure enough solution? I don't think so.

推荐答案

在客户端

您可以为此使用自定义文件元数据.它的作用是在文件的元数据中添加 Map< String，String> .而且由于Map中的键是唯一的，因此您可以将用户B的ID存储为键，并使用空字符串作为值:

On the client side

You can use custom File Metadata for that. What it does it is adds a Map<String, String> to the file's metadata. And since keys in a Map are unique, you can store the user B's id as a key and use an empty string as value:

StorageMetadata metadata = new StorageMetadata.Builder()
                        .setCustomMetadata(userId,"") //User B's id
                        .build();

然后使用 updateMetadata()方法共享文件:

Then use the updateMetadata() method to share the file:

picture1Ref.updateMetadata(metadata)
        .addOnSuccessListener(new OnSuccessListener<StorageMetadata>() {
            @Override
            public void onSuccess(StorageMetadata storageMetadata) {
                // Updated metadata is in storageMetadata
            }
        })
        .addOnFailureListener(new OnFailureListener() {
            @Override
            public void onFailure(@NonNull Exception exception) {
                // Uh-oh, an error occurred!
            }
        });

在Firebase控制台上

然后，为了在Firebase端进行验证，您可以将规则设置如下:

On the Firebase Console

Then in order to validate this on the Firebase side, you can set your rules as following:

service firebase.storage {
  match /b/{bucket}/o {
    match /images/{userId}/{pictureName}{
      allow write: if request.auth.uid == userId;
      allow read: if request.auth.uid == userId || request.auth.uid in resource.metadata.keys();
    }
  }
}

与更多用户共享

如果您想与更多用户(例如用户C和D)共享同一文件，则可以重复相同的步骤，将其ID传递给自定义元数据，因为只有元数据中指定的属性会更新，而所有其他属性保持不变.

Share with more users

If you want to share this same file with more users (let's say user C and D), you can repeat the same steps passing their ids to the custom metadata, because only the properties specified in the metadata are updated and all others are left unmodified.

如果要撤消特定用户的访问权限，可以为自定义元数据设置一个空值，然后再次调用 updateMetadata().

If you want to revoke access from a specific user, you can set a null value to the custom metadata and call the updateMetadata() once again.

StorageMetadata metadata = new StorageMetadata.Builder()
                        .setCustomMetadata(userId, null)
                        .build();

这篇关于Firebase规则:动态授予特定用户访问权限的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！