如何使用Firebase规则仅对某些叶节点授予权限 [英] How to use Firebase rules to only give permission to certain leaf nodes
问题描述
我的基本问题是,如何设置Firebase规则以允许从父级访问特定的叶节点?可以说我的数据看起来像这样:
/ p>
root:{
posts:{
post1:{
user:foo,
发帖:这是帖子,
限制:false
},
post2:{
user:bar,
post:这是另一个职位,
限制:真
},
post3:{
用户:酒吧,
后:这是我的最后一篇文章,
restricted:false
}
}
}
我想 $绑定
到posts节点,并获取该用户被允许获取的所有帖子。我可能希望管理员访问所有的帖子,但非管理员只能访问post1和post3。
注意:我使用angularFire的$ bind同步节点。
我不相信这是可能的,但我希望能够设置我的规则有点像这样:
{
rules:{
posts:{
.read:auth.admin || $ post.hasChild('restricted')。val()!== true,
$ post:{
}
}
}
}
其他用户如何完成此操作?感谢。
您可以使用 data.hasChild
表达式来实现这:
{
rules:{
posts :{
.read:auth.admin || data.hasChild('restricted')。val()!== true
}
}
}
然而,这不是推荐的方法,在实践中是不行的。安全规则不适合过滤基于访问的数据 - 您将在控制台中看到权限被拒绝的错误,因为angularFire将尝试从/ blog读取所有帖子,并且将失败。
相反,每个用户应该知道他们有权访问哪些帖子,只能直接获取这些帖子。您可以在angularFire中使用 push()
(或者 $ add
)来生成随机的帖子ID并设置安全规则例如,如果您知道帖子ID,则可以访问数据。
My basic question is how do you setup Firebase rules to only allow access certain leaf nodes from their parent?
Lets say I have data that looks like this:
root: {
posts: {
post1: {
user: "foo",
post: "this is a post",
restricted: false
},
post2: {
user: "bar",
post: "this is another post",
restricted: true
},
post3: {
user: "bar",
post: "this is my final post",
restricted: false
}
}
}
I want to $bind
to the posts node and get all the posts which that user is allowed to get. I might want the admin to access all of the posts but non-admins to only be able to access post1 and post3.
Note: I'm using angularFire's $bind to synchronize nodes.
I don't believe this is possible but I would like to be able to set up my rules kinda like this:
{
"rules": {
"posts": {
".read": "auth.admin || $post.hasChild('restricted').val() !== true",
"$post": {
}
}
}
}
How are other users accomplishing this? Thanks.
You can use the data.hasChild
expression to achieve this:
{
"rules": {
"posts": {
".read": "auth.admin || data.hasChild('restricted').val() !== true"
}
}
}
However, this is not the recommended approach and won't work in practice. Security rules are not a good fit for filtering data based on access - you'll see permission denied errors in the console because angularFire will try to read all the posts from /blog and it will fail.
Instead, each user should know which posts they have access to and only fetch those directly. You can use push()
(or $add
in angularFire) to generate random post IDs and set the security rules such that you can access the data if you know the post ID, for example.
这篇关于如何使用Firebase规则仅对某些叶节点授予权限的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!