如何使用 Firebase 安全规则创建公共/私人用户配置文件? [英] How to create public/private user profile with Firebase security rules?

问题描述

{
  "rules": {
       "users": {
            "$uid":{ 
                 //Private whatever under "uid" but Public is exposed
                 ".read": "auth != null && auth.uid == $uid",
                 ".write": "auth != null && auth.uid == $uid",

                 "public": { ".read": "auth != null" }
                 }
               }
            }
}

• 我创建了这些规则来让用户拥有公共/私人资料
• users/{uid}/public"配置文件应该可供任何经过身份验证的用户访问，但不能访问下的数据用户/用户名"
• I've created these rules to have users public/private profile
• "users/{uid}/public" profile should be accessible by any users those are authenticated, but cannot access the data under "users/uid"

这是一些存储在我的 firebase 数据库中的假数据.

Here is some fake data that is stored in my firebase database.

{
  "users" : {
    "YFIIAgwa2kaannrXjwvSZmoywma2" : {
      "Name:" : "Example 1",
      //This public child should be accessible by 
      //"Example 2" but cannot know the name of 
      // this user
      "public" : {
        "email" : "example1@gmail.com"
      }
    },
    "YgSfSzPzxLbyDL17r6P9id2cdvH2" : {
      "Name:" : "Example 2",
      //This public child should be accessible by 
      //"Example 1" but cannot know the name of 
      // this user
      "public" : {
        "email" : "example2@gmail.com"
      }
    }
  }
}

我想知道这是否是防止任何用户访问用户关键信息的有效方法！无论如何我可以通过使用验证来改进这一点吗?我愿意接受你们的任何建议.我想为我的应用程序创建最好和最简单的安全规则.

I want to know if this is the robust way to prevent any users from accessing user's critical information! Is there anyway I can improve this by using validate? I am open to any suggestions you guys have. I want to create the best and simple security rules for my app.

推荐答案

您绝对可以使用当前的数据结构保护对私有和公共数据的访问.

You can definitely secure access to the private and public data with your current data structure.

但您有时可能想要的一个用例是显示所有用户的公共信息列表.使用您当前的数据结构是不可能的，因为 Firebase 的安全模型无法使用过滤数据.有关此问题的出色答案，请参阅 限制子/字段访问安全规则.

But one use-case you'll likely want at some point is to show a list of the public info for all users. With your current data structure that is not possible, because Firebase's security model cannot be used to filter data. For a great answer covering this, see Restricting child/field access with security rules.

大多数开发人员将公共数据和私有数据拆分为完全独立的子树:

Most developers split the public and private data in completely separate subtrees:

{
  "users" : {
    "YFIIAgwa2kaannrXjwvSZmoywma2" : {
      "Name:" : "Example 1",
    },
    "YgSfSzPzxLbyDL17r6P9id2cdvH2" : {
      "Name:" : "Example 2",
    }
  },
  "public_profiles": {
    "YFIIAgwa2kaannrXjwvSZmoywma2" : {
      "email" : "example1@gmail.com"
    },
    "YgSfSzPzxLbyDL17r6P9id2cdvH2" : {
      "email" : "example2@gmail.com"
    }
  }
}

然后您可以通过以下方式保护访问:

You can then secure access with:

{
  "rules": {
     "users": {
        "$uid":{ 
             ".read": "auth != null && auth.uid == $uid",
             ".write": "auth != null && auth.uid == $uid",
        }
     },
     "public_profiles": {
        ".read": "auth != null",
        "$uid":{ 
             ".write": "auth != null && auth.uid == $uid",
        }
     }
  }
}

现在任何经过​​身份验证的用户都可以收听 /public_profiles，这意味着您可以轻松显示这些配置文件的列表.

Now any authenticated user can listen to /public_profiles, which means you can easily show a list of these profiles.

这篇关于如何使用 Firebase 安全规则创建公共/私人用户配置文件?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！