如何允许Firebase用户仅访问他们创建的文档 [英] How to allow firebase user to only access documents that they created
问题描述
在我看来,这是针对用户生成的内容的最基本的身份验证方案,给出了一个称为帖子"的集合:
This, to me, is the most basic authentication scheme for user-generated content, given a collection called "posts":
- 允许任何经过身份验证的用户插入帖子"集合中
- 允许将文档插入到集合"posts"中的用户阅读,更新和销毁文档,并拒绝所有其他人
- 如果用户是原始创建文档的人,则允许用户列出集合帖子"中的所有文档
到目前为止,我发现的所有示例似乎都依赖于文档ID与用户ID相同,后者仅适用于用户的个人资料"数据(同样,所有示例似乎都适用于这种有限的情况).
All examples I've found so far seem to rely on the document ID being the same as the user's id, which would only work for user's "profile" data (again, all the examples seem to be for this single limited scenario).
创建文档时,似乎没有关于经过身份验证的用户身份的元数据,因此似乎我必须自己将ID存储在文档上,但是我无法通过至此,创建一个工作示例.同样,由于用户ID是由客户端设置的,因此这也为用户提供了与其他用户一样创建文档的机会.
It doesn't seem that there is any sort of metadata for who the authenticated user was when a document was created, so it seems i must store the ID on the doc myself, but I haven't been able to get past this point and create a working example. Also, this opens up the opportunity for user's to create documents as other users, since the user ID is set by the client.
我觉得我在这里缺少一些基本的东西,因为这必须是最基本的情况,但尚未找到任何简洁的例子.
I feel like I am missing something fundamental here since this has to be the most basic scenario but have not yet found any concise examples for doing this.
推荐答案
此答案来自此 github要点.基本上,在文档收集帖子中,有一个名为uid的字段,它检查是否与用户uid相匹配.
This answer is from this github gist. Basically, in the document collection posts there is a field called uid and it checks if it matches the users uid.
// Checks auth uid equals database node uid
// In other words, the User can only access their own data
{
"rules": {
"posts": {
"$uid": {
".read": "$uid === auth.uid",
".write": "$uid === auth.uid"
}
}
}
}
-编辑-
DSL规则
match /Posts/{document=**}{
allow read : if uid == request.auth.uid;
allow write: if uid == request.auth.uid;
}
这篇关于如何允许Firebase用户仅访问他们创建的文档的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
