我如何在 firebase 中实现基于角色的访问控制 [英] how do I implement role based access control in firebase

问题描述

这是我第一次涉足 Firebase &nosql，我是SQL背景的.

This is my first foray into Firebase & nosql, I come from a SQL background.

使用简单登录安全电子邮件/密码，如何限制对 Firebase 中数据的访问?例如，某些用户将有权创建业务对象(用户、客户、类别等)，而其他用户则不能.有没有办法将权限列表附加到auth"变量?

Using Simple Login Security Email/Password, how do I limit access to data in Firebase? For example, some user will have access to create a business object (users, customers, categories, etc), others won't. Is there a way to attach a list of permissions to the "auth" variable?

推荐答案

没有办法将权限直接附加到 auth 变量(或者至少这似乎不是预期的策略).我建议创建一个由 auth.uid 组织的用户集合，您可以在其中保留您想要的任何类型的权限属性，这样您的安全规则可能看起来像这样(未经测试):

There isn't a way to attach permissions directly to the auth variable (or at least that doesn't seem to be an intended strategy). I'd recommend creating a collection of users organized by auth.uid and you can keep whatever kind of permission attributes you want in there, such that your security rules might something look like this (untested):

{
  "rules": {
    ".read": true,
    "users": {
      ".write": "root.child('users').child(auth.uid).child('role').val() == 'admin'"
    }
  }
}

其中 role 是属于您的 users 集合中所有对象的属性.

Where role is an attribute belonging to all objects in your users collection.

更新

见下方评论:

没有办法将权限直接附加到 auth 变量" 这在 2017 年发生了变化.您现在可以将自定义声明附加到安全规则中提供的 auth 配置文件.有关自定义声明，请参阅 bojeil 的回答和 Firebase 文档.– 弗兰克·范·普费伦

"There isn't a way to attach permissions directly to the auth variable" This changed in 2017. You can now attach custom claims to an auth profile, which are available in security rules. See bojeil's answer and the Firebase documentation for custom claims. – Frank van Puffelen

这篇关于我如何在 firebase 中实现基于角色的访问控制的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！