Firebase安全规则 [英] Firebase Security rule

查看:67
本文介绍了Firebase安全规则的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我在Firebase中有以下格式的数据-

I have data in firebase in following format -

  "requests" : {
    "-KpPjt5jQZHBalQRxKSK" : {
      "email" : "pariksheet@agsft.com",
      "itemId" : "-KmazkKp5wavdHOczlDS",
      "quantity" : 1,
      "status" : "new"
    },
    "-KpZsw3KHE9oD1CIFQ4R" : {
      "email" : "pbarapatre@gmail.com",
      "itemId" : "-Kmb-ZXfao7VdfenhfYj",
      "quantity" : 1,
      "status" : "new"
    }
  }

每个请求都包含

"email" <- user's email id who has initiated the request.
"itemId" <- id of requested item
"quantity" <- item quantity
"status" <- "new" | "approved" | decline.

我正在努力编写Firebase规则,该规则将:

I am struggling to write Firebase rule which would:

  • 允许经过身份验证的用户访问/读取他/她提出的请求.
  • 允许管理员用户读取/更新所有请求.

我当前的规则如下:

{
  "rules": {
    ".read": false,
    ".write": false,
    "items" : {
    ".read": "auth != null",
    ".write": "root.child('roles').child(auth.uid).val() === 'admin'"
    },
    "requests": {
        ".write": "root.child('roles').child(auth.uid).val() === 'admin'", /*Only Admins can update request*/
        "$rId": {
            ".read": "data.child('email').val() == auth.email || root.child('roles').child(auth.uid).val() === 'admin'"/*Request owner and admin can only read the particular request*/
        }
    }
  }
}

我维护了单独的节点角色,这些角色具有 { "uid":角色" }

I have maintained separate node roles which has { "uid" : "role" }

我正在使用AngularFire2在我的应用程序中查询Firebase.

I am using AngularFire2 to query Firebase in my app.

示例代码以如下状态检索请求

Sample code to retrieve requests with given status as below

const queryList$ = this.db.list('/requests', {
    query: {
        orderByChild: 'status',
        equalTo: status
    }
})

谢谢 帕里

推荐答案

我建议您进行以下更改:

I suggest you make the following changes:

在数据库的根目录中创建一个新对象admins

In the root of the database create a new object admins

"admins": {
    "<ADMIN_1_UID>": "true",
    "<ADMIN_2_UID>": "true"
}

然后按如下所示更改您的安全规则:

Then make changes to your security rules like this:

"rules": {
    "admins": {
        ".read": false,
        ".write": false /*This ensures that only from firebase console you can add data to this object*/
    },
    "requests": {
        ".read": "root.child('admins').child(auth.uid).val()",
        ".write": "root.child('admins').child(auth.uid).val()", /*Only Admins can read/update all requests*/
        "$rId": {
            ".read": "data.child('email').val() == auth.email"/*Request owner can read only the particular request*/
        }
    }
}

这篇关于Firebase安全规则的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
其他开发最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆