Firebase存储安全规则和Firestore [英] Firebase Storage security rules and firestore
问题描述
我在Firestore中有组".每个组都有一个成员"键.我的目标是编写Firebase存储安全规则,以仅允许写入"组中的成员:
I have "groups" in Firestore. Each group has a "members" key. My goal is to write a Firebase Storage security rule to allow "write" only to members of a group:
# I want something like this
match /groups/{groupId} {
allow read, write: if request.auth.uid in get(/database/groups/{groupId}/members);
}
推荐答案
安全规则无法从其他服务读取,因此您将无法以此处描述的方式实现组.取而代之的是,您必须在规则本身或用户的ID令牌(作为自定义声明)中对某人所属的组进行编码.
Security rules cannot read from another service, so you won't be able to implement groups in the way you describe here. You'll instead have to encode the knowledge of what groups somebody is a member off in either your rules itself, or in the ID token of the user (as a custom claim).
有关后者的示例,请参阅:
For an example of the latter, see this snippet from the Firebase documentation on making data "group private":
另一个同样常见的用例是允许对对象具有组权限,例如允许多个团队成员就共享文档进行协作.有几种方法可以做到这一点:
Another equally common use case will be to allow group permissions on an object, such as allowing several team members to collaborate on a shared document. There are several approaches to doing this:
-
修改Firebase身份验证自定义令牌,其中包含有关组成员的其他信息(例如组ID)
Mint a Firebase Authentication custom token that contains additional information about a group member (such as a group ID)
在文件元数据中包含组信息(例如组ID或授权的uid列表)
Include group information (such as a group ID or list of authorized uids) in the file metadata
一旦此数据存储在令牌或文件元数据中,就可以从规则中对其进行引用:
Once this data is stored in the token or file metadata, it can be referenced from within a rule:
// Allow reads if the group ID in your token matches the file metadata's `owner` property
// Allow writes if the group ID is in the user's custom token
match /files/{groupId}/{fileName} {
allow read: if resource.metadata.owner == request.auth.token.groupId;
allow write: if request.auth.token.groupId == groupId;
}
这些天,您无需铸造完整的自定义令牌即可包含组ID,但是您可以通过Firebase Admin SDK将信息作为自定义声明包含在常规令牌中.例如,在Node.js中,您可以添加一个groupId,如上面的用于:
These days you don't need to mint a full custom token to include the group ID, but you can include information in a regular token as a custom claim through the Firebase Admin SDKs. For example in Node.js, you could add a groupId like is used above with:
admin.auth().setCustomUserClaims(uid, {groupId: "group"})
这种方法在您可以清楚地标识用户所属的单个组(或一小组小组)的情况下效果很好.如果您拥有包含和排除在内的大型组成员资格层次结构,则很难将它们捕获到声明中,尤其是所有声明必须少于1,000个字节.
This approach works well for cases where you can clearly identify a single group (or small set of groups) that the user is a part of. If you get large group membership hierarchies, with inclusions and exclusions, it gets harder to capture them in claims, especially all claims have to be less than 1,000 bytes.
另一种方法是将有关组成员身份的知识嵌入规则本身.在这种情况下,您将采用数据库中已有的结构,并将其编码为规则.
The other approach is to embed knowledge about group membership into the rules itself. In this scenario you would take the structure you now have in your database, and encode that into your rules.
在您的组成员资格相当稳定的情况下,您可以手动执行此操作.在这种情况下,您最终将在安全规则中使用硬编码的UID.
You can do this manually in the case your group memberships are fairly stable. And in that case you'd end up with hard-coded UIDs in your security rules.
但是,由于您选择将组成员身份存储在数据库中,因此这些成员身份可能至少是动态的.在这种情况下,您可能需要结合使用以前的方法来捕获部分成员身份,然后生成其他部分的安全规则.
But since you chose to store the group membership in a database, these memberships are likely at least somewhat dynamic. In that case you may want to use a combination of the previous approach to capture part of the membership, and then generate the security rules for the other parts.
然后,您可以定期或在组成员身份更改时部署生成的规则.
You can then deploy the generated rules, either periodically, or whenever the group membership changes.
尽管这是比(仅)将信息嵌入用户令牌中更强力的方法,但我已经看到它已用于创建高级成员资格测试.我主要不喜欢它的原因是生成的安全规则往往变得不可读.您可以通过在规则中的单独函数中生成组检查"来减轻这种情况,以便手写规则(您将更经常阅读)可以仅包含对 isMemberOfValidGroup(...)或类似的东西.
While this is a more brute-force approach than (just) embedding the information in the user's tokens, I've seen it been used to create advanced membership tests. My main dislike for it, is that the generated security rules tend to become unreadable. You can mitigate that by generating the "group check" into a separate function in your rules, so that the hand-written rules (that you'll more frequently be reading) can just include a call to isMemberOfValidGroup(...) or something like that.
这篇关于Firebase存储安全规则和Firestore的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
