阻止用户修改Firebase中的数据,但允许该数据由应用程序更新 [英] Prevent users from modifying data in Firebase but allow this data to be updated by the application
问题描述
我使用GatsbyJS(React)+ Firebase创建了一个应用程序.
I create an app with GatsbyJS (React) + Firebase.
用户将分数和数据一起保存在Firebase实时数据库中.
Users have a score saved in Firebase Realtime Database with their data.
{
users: {
$uid: {
score: 10,
name: "Antho",
...
}
}
}
我不希望用户自己更改分数,所以我这样分割数据库:
I do not want users to be able to change their score themselves, so I split my database like this:
{
users: {
$uid: {
name: "uciska",
...
}
},
scores: {
$uid: {
score: 10
}
}
}
但是我不知道要制定什么规则.
But I do not know what rules to put in place.
我认为我需要一些后端代码.如果是这样,我想遍历Amazon Lambda函数而不必设置Node.js服务器.
I think I need some backend code. If so I would like to go through Amazon Lambda functions without having to set up a Node.js server.
有可能吗?从哪里开始?
Is it possible ? Where to start ?
Cloud Firestore可以更简单地做到这一点吗?
Could Cloud Firestore do that more simply?
推荐答案
If you don't want your user to be able to write the scores, you can simple use these rules:
{
"rules": {
"users": {
"$uid": {
".write": "auth.uid == $uid"
}
}
"scores": {
".write": false // this is not strictly needed, since the default is false
}
}
}
有了这个,每个用户都可以在下面的位置编写自己的节点 /users/$uid,没有用户可以写任何乐谱.
With this, each user can write their own node under /users/$uid and no user can write any score.
接下来,您将要在其中使用 Firebase Admin SDK 一个值得信赖的环境来编写分数.受信任的环境是您控制访问的对象,例如服务器,开发计算机或 Cloud Functions .在Cloud Functions中运行或以其他方式使用Admin SDK的代码具有管理特权,这意味着它绕过了安全规则.这样,该代码就可以读取/写入包括分数在内的整个数据库.
Next, you'll want to use the Firebase Admin SDK in a trusted environment to write the scores. A trusted environment is something you control access to, such as a server, your development machine, or Cloud Functions. Code that runs in Cloud Functions, or otherwise uses the Admin SDK, has administrative privileges, which means it bypasses the security rules. So that code can read/write the entire database, including the scores.
这篇关于阻止用户修改Firebase中的数据,但允许该数据由应用程序更新的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
