Firebase存储安全规则:检查是否存在另一个对象/检查对象的元数据 [英] Firebase Storage Security Rule : Check if another object exists / check object's metadata
问题描述
在Firebase存储安全规则(不是实时数据库)中,是否有任何方法可以检查路径上是否存在另一个对象,或者是否存在另一个对象的元数据?
In Firebase storage security rules (not realtime database), is there any way to perform a check if another object exists at path, or another object's metadata exists?
某些背景
目前,我已经设置了存储安全性规则,以使用户仅具有对其/users/{userId}/路径的读取访问权限,而没有对其的写访问权限.
Currently my storage security rules are set up so that users only have read access, and not write access to their /users/{userId}/ paths.
我有一个管理云功能,可以将文件保存到/users/{userId}/necessary-file.pdf.而且我不希望用户能够修改或写入此文件,而只希望云功能具有执行权限.为此,我认为我可以匹配以下文件名:
I have an admin cloud function that saves a file to /users/{userId}/necessary-file.pdf. And I don't want users to be able to modify or write this file and only cloud functions to have the right to do. To achieve this I think I can match for the filename like :
match /users/{userId}/{fileName} {
allow write: if !fileName.matches("necessary-file.pdf")
}
问题
我是否有办法只允许用户编写 some-other-file.pdf (如果他们已经在同一路径上有 necessary-file.pdf ) (或者,如果效果更好,甚至在其他地方).所有这些仍然禁止他们编写 necessary-file.pdf .
Is there any way for me to only allow users to write some-other-file.pdf if they already have a necessary-file.pdf at the same path (or even somewhere else if that works better). All while still disallowing them to write necessary-file.pdf.
那么,有什么办法让我做这样的伪代码吗? :
So is there any way for me to do something like this pseudo-code? :
match /users/{userId}/{fileName} {
allow read: if request.auth.uid == userId;
allow write: if (!fileName.matches("necessary-file.pdf")) && ("necessary-file.pdf".exists())
}
作为替代方案,我可以让我的云函数将元数据写入 necessary-file.pdf 并进行检查.有什么办法可以执行类似此伪代码的操作吗? :
As an alternative, I can have my cloud functions write a metadata to necessary-file.pdf and check for that too. is there any way I can perform something like this pseudo-code? :
allow write: if "necessary-file.pdf".metadata['canUserWrite'] == 'yesUserCan'
最后
真正有趣的是,如果可以通过任何方式远程实现,它可以用于在Firebase数据库和Firebase存储规则之间进行通信,而不是实时的方式. (在此引用此问题)云功能可以侦听实时数据库中的预期字段,然后将文件写入firebase存储中,firebase存储可以检查该文件.
What's really cool about this is that, if this is in any way remotely possible, it can be used to communicate between firebase database and firebase storage rules in a not-so-realtime way. (referring to this question here) A cloud function can listen for changes in the intended field in realtime database, and write a file to firebase storage, which firebase storage can check for.
推荐答案
Firebase的Cloud Storage安全规则只能访问有关当前请求和文件的信息.他们无权访问整个存储系统,因此无法检查是否存在另一个文件.
Firebase's Cloud Storage security rules can only access information about the current request and file. They don't have access to the full storage system, so can't check whether another file is present.
这样做的原因是,对于每个请求,都会在内存中评估规则.为其他对象提供对Cloud Storage的访问会降低性能,从而使系统无法扩展.同样的原因也解释了为什么您无法从安全规则访问Firebase数据库.
The reason for this is that the rules are evaluated in memory for every request. Providing access to Cloud Storage for other objects would slow the performance down, making the system unscalable. That same reason explains why you can't access the Firebase Database from the security rules.
如果您想要这样的控件,则需要查看Cloud Functions for Firebase.如果您让用户将文件上传到暂存"区域,则可以让Cloud Function验证他们是否满足所有先决条件,然后将文件移至实际位置(使其可用于进一步处理或供客户查看)
If you want some control like this, you'll want to look in Cloud Functions for Firebase. If you have your users upload their files into a "staging" area, you can have a Cloud Function validate whether they met all prerequisites and only then move the file into the actual location (making it available for further processing or for clients to see).
这篇关于Firebase存储安全规则:检查是否存在另一个对象/检查对象的元数据的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
