如何使用Firebase安全规则创建公开/私人用户个人资料? [英] How to create public/private user profile with Firebase security rules?
问题描述
{
rules:{
users:{
$ uid:{
// Private uid但公开的是
.read:auth!= null&& auth.uid == $ uid,
.write:auth!= null& & auth.uid == $ uid,
public:{.read:auth!= null}
}
}
}
}
- 我创建了这些规则用户公开/私人资料
- 用户 / {uid} / 公开由任何用户进行身份验证,但无法访问 users / uid 下的数据
一些虚假的数据存储在我的firebase数据库中。
{
users:{
YFIIAgwa2kaannrXjwvSZmoywma2:{
:Example 1,
//这个公共子应该可以被
//Example 2访问,但是不能知道
的名字//这个用户
public :{
email:example1@gmail.com
}
},
YgSfSzPzxLbyDL17r6P9id2cdvH2:{
Name::Example 2 ,
//这个公共子应该可以被
//Example 1访问,但是不能知道
的名字//这个用户
public:{
email:example2@gmail.com
}
}
}
}
我想知道这是否是防止任何用户访问用户重要信息的可靠方法!无论如何,我可以通过使用验证来改善这一点吗?我很乐意接受你们的建议。我想为我的应用程序创建最好和简单的安全规则。
您可以使用您当前的数据结构来确保访问私人和公共数据。
但是您可能需要的一个用例是显示所有用户的公共信息列表。由于目前的数据结构不可行,因为 Firebase的安全模型不能用于过滤数据。有关覆盖此的一个很好的答案,请参阅限制子/字段访问安全规则。
大多数开发人员将公共和私有数据分割成完全独立的子树:
<$ p
users:{
YFIIAgwa2kaannrXjwvSZmoywma2:{
Name::Example 1,
},
YgSfSzPzxLbyDL17r6P9id2cdvH2:{
Name::Example 2,
}
},
public_profiles:{
YFIIAgwa2kaannrXjwvSZmoywma2:{
email:example1@gmail.com
},
YgSfSzPzxLbyDL17r6P9id2cdvH2:{
email:example2@gmail.com
}
$ b $ p
$ b
然后你可以通过以下方式保护访问:
$ b $
{
rules:{
users:{
$ uid:{
.read:auth!= null&&放大器; auth.uid == $ uid,
.write:auth!= null&& auth.uid == $ uid,
}
},
public_profiles:{$ b $.read:auth!= null,
$ uid:{
.write:auth!= null&& auth.uid == $ uid,
}
}
}
}
现在任何经过身份验证的用户都可以听取 / public_profiles ,这意味着您可以轻松显示这些配置文件的列表。
{
"rules": {
"users": {
"$uid":{
//Private whatever under "uid" but Public is exposed
".read": "auth != null && auth.uid == $uid",
".write": "auth != null && auth.uid == $uid",
"public": { ".read": "auth != null" }
}
}
}
}
- I've created these rules to have users public/private profile
- "users/{uid}/public" profile should be accessible by any users those are authenticated, but cannot access the data under "users/uid"
Here is some fake data that is stored in my firebase database.
{
"users" : {
"YFIIAgwa2kaannrXjwvSZmoywma2" : {
"Name:" : "Example 1",
//This public child should be accessible by
//"Example 2" but cannot know the name of
// this user
"public" : {
"email" : "example1@gmail.com"
}
},
"YgSfSzPzxLbyDL17r6P9id2cdvH2" : {
"Name:" : "Example 2",
//This public child should be accessible by
//"Example 1" but cannot know the name of
// this user
"public" : {
"email" : "example2@gmail.com"
}
}
}
}
I want to know if this is the robust way to prevent any users from accessing user's critical information! Is there anyway I can improve this by using validate? I am open to any suggestions you guys have. I want to create the best and simple security rules for my app.
You can definitely secure access to the private and public data with your current data structure.
But one use-case you'll likely want at some point is to show a list of the public info for all users. With your current data structure that is not possible, because Firebase's security model cannot be used to filter data. For a great answer covering this, see Restricting child/field access with security rules.
Most developers split the public and private data in completely separate subtrees:
{
"users" : {
"YFIIAgwa2kaannrXjwvSZmoywma2" : {
"Name:" : "Example 1",
},
"YgSfSzPzxLbyDL17r6P9id2cdvH2" : {
"Name:" : "Example 2",
}
},
"public_profiles": {
"YFIIAgwa2kaannrXjwvSZmoywma2" : {
"email" : "example1@gmail.com"
},
"YgSfSzPzxLbyDL17r6P9id2cdvH2" : {
"email" : "example2@gmail.com"
}
}
}
You can then secure access with:
{
"rules": {
"users": {
"$uid":{
".read": "auth != null && auth.uid == $uid",
".write": "auth != null && auth.uid == $uid",
}
},
"public_profiles": {
".read": "auth != null",
"$uid":{
".write": "auth != null && auth.uid == $uid",
}
}
}
}
Now any authenticated user can listen to /public_profiles, which means you can easily show a list of these profiles.
这篇关于如何使用Firebase安全规则创建公开/私人用户个人资料?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
