如何在Firebase中实施基于角色的访问控制？ [英] how do I implement role based access control in firebase

问题描述

这是我第一次进军Firebase&使用简单的登录安全电子邮件/密码，我如何限制对Firebase中数据的访问？例如，一些用户将有权创建一个业务对象（用户，客户，类别等），其他人则不会。有没有办法将权限列表附加到auth变量？

解决方案

直接授权给auth变量（或者至少这似乎不是一个预期的策略）。我建议创建一个由 auth.uid 组织的用户集合，并且可以保留任何你想要的权限属性，这样你的安全规则可能看起来像（未经测试）：

  {
rules：{
.read：true， 
users：{
.write：root.child（'users'）。child（auth.uid）.child（'role'）。val（）=='admin' 
} 
} 
} 
  

角色是属于用户集合中所有对象的属性。

This is my first foray into Firebase & nosql, I come from a SQL background.

Using Simple Login Security Email/Password, how do I limit access to data in Firebase? For example, some user will have access to create a business object (users, customers, categories, etc), others won't. Is there a way to attach a list of permissions to the "auth" variable?

解决方案

There isn't a way to attach permissions directly to the auth variable (or at least that doesn't seem to be an intended strategy). I'd recommend creating a collection of users organized by auth.uid and you can keep whatever kind of permission attributes you want in there, such that your security rules might something look like this (untested):

{
  "rules": {
    ".read": true,
    "users": {
      ".write": "root.child('users').child(auth.uid).child('role').val() == 'admin'"
    }
  }
}

Where role is an attribute belonging to all objects in your users collection.

这篇关于如何在Firebase中实施基于角色的访问控制？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！