firebase 安全权限不起作用 [英] firebase security permission not working
问题描述
我的 firebase
中存储了以下数据:
I have below data stored in my firebase
:
firebaseRoot
admins
simplelogin:1:
users
simplelogin:1
email: abc@xyz.com
picture: csd
provider: password
uid: simplelogin:1
simplelogin:2
email: abc1@xyz.com
picture: zsd
provider: password
uid: simplelogin:1
并遵循安全规则:
{
"rules": {
"admins": {
".read": "root.child('admins').child(auth.uid).val() === true",
".write": "root.child('admins').child(auth.uid).val() === true"
},
"users": {
"$user":{
".read": "$user === auth.id || root.child('admins').child(auth.uid).val() === true",
".write": "$user === auth.id"
}
}
}
}
我的授权要求如下.
- 管理员只能由现有管理员读取和添加.这行得通.
- 管理员可以读取所有用户,但不能写入用户数据.
- 用户可以读取和更新自己的用户数据.
目前根据上述规则,我无法读取管理员和登录用户的用户数据.我收到以下错误消息.请提供您的帮助.谢谢.
Currently with above rules, I am not able read users data both for admins and logged in users. I get below error message. Please provide your help. Thanks.
var rootRef = new Firebase('https://xxxxx.firebaseio.com/');
var users = rootRef.child('users');
users.on('value', function(snap) {
console.log(snap.key(), snap.val());
}, function(error) {
console.log(error);
});
错误:
错误:permission_denied:客户端无权访问所需数据.
Error: permission_denied: Client doesn't have permission to access the desired data.
推荐答案
在 Firebase 安全规则方面有两个陷阱:
There are two pitfalls when it comes to Firebase security rules:
这意味着一旦您在 JSON 结构中的某个级别上授予某人(读或写)访问权限,您就不能再立即在较低级别上进行访问
This means that once you give somebody (read or write) access on a certain level in the JSON structure, you cannot take that right away anymore on a lower level
这意味着您只能读取该节点中的所有数据,前提是您拥有该节点的所有数据的读取权限.如果您只有部分数据的读取权限,则对完整数据的读取操作将失败.
This means that you can only read a node if you have read access to all data in that node. If you only have read access to part of the data, a read operation for the complete data will fail.
在您的安全规则中,您只允许读取users
下的(部分)子项.所以试图读取整个 users.on('value'
将会失败.
In your security rules, you only give permission to read (some of) the children under users
. So trying to read the entire users.on('value'
will fail.
您可以通过授予管理员 .read
访问 users
节点的权限来解决此问题.
You can solve this by giving the administrator .read
access to the users
node.
"users": {
".read": "root.child('admins').child(auth.uid).val() === true",
"$user":{
".read": "$user === auth.id",
".write": "$user === auth.id"
}
}
这篇关于firebase 安全权限不起作用的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!