firebase 安全权限不起作用 [英] firebase security permission not working

问题描述

我的 firebase 中存储了以下数据:

I have below data stored in my firebase:

firebaseRoot
    admins
        simplelogin:1: 
    users
        simplelogin:1
            email: abc@xyz.com
            picture: csd
            provider: password
            uid: simplelogin:1
        simplelogin:2
            email: abc1@xyz.com
            picture: zsd
            provider: password
            uid: simplelogin:1

并遵循安全规则:

{
  "rules": {
    "admins": {
      ".read": "root.child('admins').child(auth.uid).val() === true",
      ".write": "root.child('admins').child(auth.uid).val() === true"
    },
    "users": {
      "$user":{
        ".read": "$user === auth.id || root.child('admins').child(auth.uid).val() === true",
        ".write": "$user === auth.id"
      }
    }
  }
}

我的授权要求如下.

1. 管理员只能由现有管理员读取和添加.这行得通.
2. 管理员可以读取所有用户，但不能写入用户数据.
3. 用户可以读取和更新自己的用户数据.

目前根据上述规则，我无法读取管理员和登录用户的用户数据.我收到以下错误消息.请提供您的帮助.谢谢.

Currently with above rules, I am not able read users data both for admins and logged in users. I get below error message. Please provide your help. Thanks.

var rootRef = new Firebase('https://xxxxx.firebaseio.com/');
var users = rootRef.child('users');
users.on('value', function(snap) {
console.log(snap.key(), snap.val());
}, function(error) {
console.log(error);
});

错误:

错误:permission_denied:客户端无权访问所需数据.

Error: permission_denied: Client doesn't have permission to access the desired data.

推荐答案

在 Firebase 安全规则方面有两个陷阱:

There are two pitfalls when it comes to Firebase security rules:

1. 规则级联

这意味着一旦您在 JSON 结构中的某个级别上授予某人(读或写)访问权限，您就不能再立即在较低级别上进行访问

This means that once you give somebody (read or write) access on a certain level in the JSON structure, you cannot take that right away anymore on a lower level

规则不是过滤器

这意味着您只能读取该节点中的所有数据，前提是您拥有该节点的所有数据的读取权限.如果您只有部分数据的读取权限，则对完整数据的读取操作将失败.

This means that you can only read a node if you have read access to all data in that node. If you only have read access to part of the data, a read operation for the complete data will fail.

在您的安全规则中，您只允许读取users 下的(部分)子项.所以试图读取整个 users.on('value' 将会失败.

In your security rules, you only give permission to read (some of) the children under users. So trying to read the entire users.on('value' will fail.

您可以通过授予管理员 .read 访问 users 节点的权限来解决此问题.

You can solve this by giving the administrator .read access to the users node.

    "users": {
      ".read": "root.child('admins').child(auth.uid).val() === true",
      "$user":{
        ".read": "$user === auth.id",
        ".write": "$user === auth.id"
      }
    }

这篇关于firebase 安全权限不起作用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！