数据库规则允许列出具有读取访问权限的孩子 [英] Database rule allowing to list children with read access

问题描述

我的应用程序中有一条消息列表，我希望用户检索自己的消息列表.

I have a list of messages in my app, and I would like my users to retrieve a list of their own messages.

如果我以"user1"身份登录，则可以毫无问题地获取/messages/message1 ，但是如果我想检索所有消息(而无法访问其他用户的消息)与/messages/一起使用，尽管我有权访问某些子元素，但我仍被拒绝访问权限

If I'm logged in as "user1" i can fetch /messages/message1 without any problems, but if I want to retrieve all my messages (without being able to get access to other user's messages) with /messages/ i get permission denied even though i have access to some of the child elements

如何在不知道消息ID的情况下为用户提供具有读取权限的所有子元素的列表?

How can I give my users a list of all of their child elements with read permission without knowing the IDs of the messages?

谢谢.

下面是我的数据库:

{
  "messages" : {
    "message1" : {
      "sender" : "user1_uid"
      },
    "message2" : {
      "sender" : "user1_uid"
    }
}

这是我的规则:

{
    "messages": {
        "$weddingId": {
            ".read": "data.child('sender').val() == auth.uid"
        }
    }
}

推荐答案

Adolfo有一种有效的方法.他将消息数据传播到特定于用户的节点下.这在NoSQL数据库中非常普遍，本质上是构建许多消息的微型表"，而不是一个大表.

Adolfo has one valid approach. He spreads the message data under user-specific nodes. This is very common in NoSQL databases, essentially building many "mini-tables of messages" instead of one large one.

或者，您可以将邮件的主列表保留在当前位置，但是为每个用户创建一个所谓的邮件索引:

Alternatively, you can keep the master list of messages where it is now, but create a so-called index of messages for each user:

{
  "messages" : {
    "message1" : {
      "sender" : "user1_uid"
      },
    "message2" : {
      "sender" : "user1_uid"
    }
  },
  "user_messages": {
    "user1_uid": {
      "message1": true,
      "message2": true
    }
  }

您现在将拥有messages的安全规则，但要为新的user_messages索引添加这些规则:

You'd keep the security rules for messages as you have them now, but add these for the new user_messages index:

"user_messages": {
  "$userId":{
    ".read": "$userId == auth.uid"
  }
}

在安装好这些信息后，您首先要从/user_messages/<authData.uid>加载消息ID，然后再从/messages/<messageId>加载每条消息，从而为用户加载消息.

With these in place, you'd load the message for a user by first loading the message IDs from /user_messages/<authData.uid> and then loading each individual message from /messages/<messageId>.

另请参阅我们的有关创建可扩展数据的指南有关此技术的更多信息(称为扇出).

See also our guide on creating data that scales for more on this technique (called fan-out).

这篇关于数据库规则允许列出具有读取访问权限的孩子的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！