消息数组的 Firebase 安全规则 [英] Firebase security rule for array of messages

问题描述

我正在尝试根据收件人显示消息列表，但现在，让我们保持简单.我只是想显示一个消息列表.

I am trying to display a list of messages based on the recipient but for now, let's keep it simple. I am just trying to display a list of messages.

我的规则是这样的

{
"rules": {
  "communications" : {
    "$communication":{
      ".read" : true,
      ".write": true
    }
  }
}

但出于某种原因，我的应用程序不想读取它

For some reason though, my application does not want to read it

fireRef = new Firebase(url);
fireRef.auth(MY_TOKEN);
commsRef = fireRef.child('communications')
$scope.communications = $firebase(commsRef)

只有当我有一个看起来像这样的规则时才有效

It only works if I have a rule looking like

{
"rules": {
  "communications" : {
    ".read" : true,
    ".write": true
  }
}

但这会导致问题，因为我想在我的通信的子节点上添加条件.类似的东西:

But that will cause problem as I would like to add condition on the children node of my communication. Something like:

{
"rules": {
  "communications" : {
    ".read" : true, ### I would like to get rid of this line as well and have the child handling it
    ".write": true,

    "$communication":{
      ".read" : "data.child('to').val() == auth.uid"
    }
  }
}

我假设这是因为我在通信中有一个 $firebase 并且它需要一些读取或写入规则，但是当添加新消息时我如何获取事件，否则

I am assuming that is because I have a $firebase on the communications and it needs some read or write rules but how do I get the event when a new message is added otherwise

谢谢

推荐答案

在安全规则方面，Firebase 操作是全有或全无.

With respect to security rules, Firebase operations are all-or-nothing.

这意味着发送到客户端的数据列表永远不会不完整，也不会是完整服务器数据的过滤视图.因此，在使用您的第一组安全规则时，尝试加载 /communications 中的所有数据将失败，即使您确实有权读取其中的某些数据(由孩子管理)/communications/$communication 中的规则.

That means that lists of data sent to the client will never be incomplete, or filtered views of the complete server data. As a result, attempting to load all of the data at /communications will fail when using your first set of security rules, even though you do have permission to read some of the data there as governed by the child rule at /communications/$communication.

要处理此用例，请考虑重构您的数据，以便每个通信都按收件人编制索引，即 /communication/$recipient/$communication，这将简化您的安全规则.

To handle this use case, consider restructuring your data such that each communication is indexed by recipient, i.e. /communications/$recipient/$communication, which will simplify your security rules.

此外，您甚至可以使该存储桶由收件人只读(即 .read: auth.id == $recipient)，同时允许任何人向该用户发送消息(即 <代码>.write: auth != null && !data.exists()).最后一条规则确保发送客户端通过身份验证并写入尚不存在的位置，例如新的推送 ID.

Additionally, you could even make that bucket read-only by the recipient (i.e. .read: auth.id == $recipient) while allowing anyone to send a message to that user (i.e. .write: auth != null && !data.exists()). That last rule ensures that the sending client is authenticated and writing to a location that does not yet exist, such as a new push id.

这篇关于消息数组的 Firebase 安全规则的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！