如何设置Firebase数据库规则以保护每个用户的数据? [英] How to to set firebase database rules to secure data per user?

问题描述

我是Firebase的新手，我试图了解规则，在该规则中，将使用经过身份验证的用户ID来保护数据.我在客户端上使用Angularfire2.而且我正在使用电子邮件/密码身份验证，效果很好.

I'm new to Firebase, and I'm trying to understand rules where authenticated user id is to be used for securing data. I'm using Angularfire2 on the client. And I'm using email/password authentication, which works fine.

如果我设置数据库规则以允许对经过身份验证的用户进行读写操作，则一切正常，最终我在Firebase数据库中获得了以下数据...

If I set my database rules to allow read and write for authenticated users, everything works fine, and I end up with the following data in the Firebase database...

{
  "notes" : {
    "-KmgjG9hxoXOTtuLTItz" : {
      "content" : "test",
      "title" : "Test note 1",
      "uid" : "iLH4Kg20shViwJebCmU8Ynp0OG23"
    },
    {
    "-Kmh5igvItrJstbAhRpq" : {
      "content" : "test",
      "title" : "Test note2",
      "uid" : "iLH4Kg20shViwJebCmU8Ynp0OG23"
    }
  }
}

现在，我想在经过身份验证的用户与在每个对象上设置的用户ID(uid)匹配的情况下限制读写权限，所以我将规则更改如下...

Now I want to restrict read and write permissions where the authenticated user matches the user id (uid) set on each object, so I changed the rules as follow...

{
  "rules": {
    "notes": {
      ".read": "data.child('uid').val() == auth.uid",
      ".write": "newData.child('uid').val() == auth.uid"
    }
  }
}

但是，这不起作用.读取失败，并显示...

However, this does not work. Reads fail with...

错误错误:/notes处的权限拒绝:客户端没有 有权访问所需数据.

ERROR Error: permission_denied at /notes: Client doesn't have permission to access the desired data.

...并且写入失败并带有...

...and writes fail with...

FIREBASE警告:设置为/notes/-KmgjG9hxoXOTtuLTIpG失败: Permission_denied

FIREBASE WARNING: set at /notes/-KmgjG9hxoXOTtuLTIpG failed: permission_denied

我知道用户已通过身份验证，因为如果我按照以下规则对用户ID进行硬编码，则可以正常工作...

I know that the user is authenticated because if I hard-code the user id in the rules like below, it works just fine...

{
  "rules": {
    "notes": {
      ".read": "auth.uid == 'iLH4Kg20shViwJebCmU8Ynp0OG23'",
      ".write": "auth.uid == 'iLH4Kg20shViwJebCmU8Ynp0OG23'"
    }
  }
}

推荐答案

我能够通过重组数据模式来解决此问题，将用户ID放在路径中，而不是对象中，例如/users/< -uid->/notes/，并使用以下规则...

I was able to solve this by restructuring my data schema, putting the user id in the path, not in the object, e.g., /users/<-uid->/notes/, and using the following rules...

{
  "rules": {
    "users": {
      "$userId": {
            ".read": "$userId === auth.uid",
            ".write": "$userId === auth.uid"   
      }
    }
  }
}

根据有关规则不是过滤器"的评论，我现在明白了.让我感到困扰的是，Firebase数据库规则文档所指的是具有键值对的子级"，例如，...

As per the comments regarding "rules are not filters", I get that now. The thing that was tripping me up was where the Firebase database rules doc was referring to "children" with key-value pairs, e.g.,...

此示例仅在isReadable子级设置为的情况下才允许读取 在读取的位置为真.

This example only allows reading if the isReadable child is set to true at the location being read.

".read": "data.child('isReadable').val() == true"

对我来说，这意味着JSON数据结构就是这样...

To me that implied that the JSON data structure is something like this...

{ ..., isReadable: true, ...}

但是我想这是指位置路径，例如/users/fred/isReadble或类似的东西.不太确定.好像很奇怪但是无论如何，我都能正常工作.

But I guess that is referring to location paths, e.g., /users/fred/isReadble or something like that. Not quite sure. It seems odd. But regardless, I got it working.

这篇关于如何设置Firebase数据库规则以保护每个用户的数据?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！