如何安全地允许用户从Firebase队列中删除响应？ [英] How to safely allow user to delete responses from Firebase-queue?

问题描述

我将Firebase与Angular2和Firebase-queue一起用作批处理服务器。

客户端将任务发送到服务器，并等待响应。 / p>

客户端可以使用请求ID读取响应。但是，那么响应会发生什么？我猜只有客户端可以删除它，但是我真的不喜欢把 .write 给客户端。

所以我试图找出一种方法来保证这个 .write 访问权。

问题：是否可以给 .read 和 .write 只能访问拥有请求密钥的用户？

响应本身，甚至是 / responses 节点对于其他节点都是不可读的。

>

我试图避免人们（恶意）在用户阅读之前删除响应。 解决方案< Frank van Puffelen回答了这里

如果我只希望auth用户能够使用它，我应该使用以下规则吗？

< pre $ respond：{
.read：false，
.write：false，
$ response：{
.read：auth！= null，
.write：auth！= null，
}
}


I'm using Firebase with Angular2 and Firebase-queue as a batch server.

Clients send tasks to the server and sometime they are waiting for a response.

Client can read the response using the request id. But then, what happens to the response ? I guess only the client can delete it but I don't really like to give .write to the client.

So I'm trying to figure out a way to secure this .write access.

Question: Is It possible to give .read and .write access only to the user that own the request key?

The response itself and even the /responses node would not be readable for the others.

I'm trying to avoid people(evil) deleting responses before the user can read it.

解决方案

Frank van Puffelen answered the response here.

If I only want auth user to able to use it, I should use the following rules right?

"responses": {
  ".read": "false",
  ".write": "false",
  "$responses": {
    ".read": "auth != null",
    ".write": "auth != null",
  }
}

这篇关于如何安全地允许用户从Firebase队列中删除响应？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！