Firebase安全规则适用于具有多个聊天室的应用程序 [英] Firebase Security rules for an app with multiple chat rooms
问题描述
- 有多个聊天室的一个Firebase 。
- 版主通过单独的PHP应用程序进行身份验证。
- 版主只能修改自己的聊天室,可以读,写,更新,并删除聊天室中的任何内容。
- 客人通过单独的PHP应用程序到达并进行身份验证。
- 客人拥有读取和写入权限,不要删除任何东西。
我现在的问题是这些:
-
是否可以配置规则以满足所有这些要求?还是有一些不能满足的要求?
- /gist.github.com/katowulf/4741111\">查看这个要点,这是我前段时间为多个聊天室准备的一个例子。
- 是的。这是完全可能的。
- PHP服务器?你不需要服务器! :
数据结构基本如下:
pre >#聊天大致等于房间pre>
/聊天/聊天ID /用户/ ...
#每个参与者上次查看房间时的时间戳
/聊天/ chat_id / last / ...
#发送的消息
/聊天/ chat_id / messages / ...
安全规则是自我记录。
{
聊天:{
//列表的聊天记录可能没有被列出(在这里没有阅读权限)
//一个聊天对话
$ key:{
//如果聊天没有还没有创建,我们允许阅读,所以有一个方法
//检查这个并创建它;如果它已经存在,则认证
// user(由auth.account指定)必须在$ key / users
.read中:auth!= null&&(!data。 hasChild()),
//授权参与聊天的用户列表
users:{
//如果列表不存在,任何人都可以创建它
//如果它已经存在,只有列表中的用户可以修改它
.write:!data .exists()|| data.hasChild(auth.account),
$ acc:{
//现在这个值只是一个1,后面可能是一个读/写/超级特权
.validate:newData.isNumber()
}
},
//上次每个用户读取此聊天记录的时间戳
last:{
$ acc:{
//只能由经过认证的用户编写,如果用户在$ key / users
.write:$ acc === auth.account&& hasChild($ acc),
.validate:newData.isNumber()
}
} root.child('chat /'+ $ key +'/ users' ,
messages:{
$ msg:{
//写一条消息,它必须包含所有三个字段(usr,ts和msg)
//写人必须在$ key / users
.write:root.child('chat /'+ $ key +'/ users')。hasChild(auth.account) ,
.validate:newData.hasChildren(['ts','usr','msg']),
usr:{
//只能创建消息从我自己
.validate:newData.val()=== auth.account
,
msg:{
.validate:newData .isString()
,
ts:{
.validate:newData.isNumber()
}
}
}
}
}
$ b版主通过单独的PHP应用程序进行身份验证。
使用自定义登录模块为管理员创建Firebase令牌。根据您在该令牌中存储的数据应用安全规则。
版主只能修改自己的聊天室。
这应该是非常自我解释的,只需扩展上面的用户权限即可。
访客通过单独的PHP应用程序到达并进行身份验证。 b $ b使用自定义登录模块为管理员创建Firebase令牌。根据您在该令牌中存储的数据应用安全规则。
(或者取消PHP应用程序并使用 Firebase的身份验证!)
访客拥有读写权限,但不能删除任何东西。
在.write规则中使用newData.exists()或newData.hasChildren(...)来防止删除。
客人不能欺骗其他客人。
身份验证令牌可以防止这个I am having trouble imagining what the security rules would look like for an application that looks like this:
- One firebase with multiple chatrooms.
- A moderator authenticates via a separate PHP application.
- Moderators only have permission to modify their own chat room, they can read, write, update, and delete anything within their chat room.
- Guests arrive and authenticate via the separate PHP application.
- Guests have read and write access, but may not delete anything.
My questions right now are these:
Is it possible to configure the rules to meet all these requirements? Or are there some requirements that cannot possibly be met?
To what extent does the PHP Server have to communicate with Firebase, in notifying Firebase of the existence of users?
解决方案First of all, check out this gist, which is an example I worked up some time ago for multiple chat rooms.
- Yes. It's perfectly possible.
- PHP Server? You don't need no server! :)
The data structure is basically as follows:
# chats roughly equal "rooms" /chats/chat_id/users/... # a timestamp of when each participant last viewed the room /chats/chat_id/last/... # the messages sent /chats/chat_id/messages/...The security rules are self documenting. Here's a local copy for referential integrity.
{ "chat": { // the list of chats may not be listed (no .read permissions here) // a chat conversation "$key": { // if the chat hasn't been created yet, we allow read so there is a way // to check this and create it; if it already exists, then authenticated // user (specified by auth.account) must be in $key/users ".read": "auth != null && (!data.exists() || data.child('users').hasChild(auth.account))", // list of users authorized to participate in chat "users": { // if the list doesn't exist, anybody can create it // if it already exists, only users already in the list may modify it ".write": "!data.exists() || data.hasChild(auth.account)", "$acc": { // for now the value is just a 1, later it could be a read/write/super privilege ".validate": "newData.isNumber()" } }, // timestamps recording last time each user has read this chat "last": { "$acc": { // may only written by the authenticated user and if user is in $key/users ".write": "$acc === auth.account && root.child('chat/'+$key+'/users').hasChild($acc)", ".validate": "newData.isNumber()" } }, "messages": { "$msg": { // to write a message, it must have all three fields (usr, ts, and msg) // and the person writing must be in $key/users ".write": "root.child('chat/'+$key+'/users').hasChild(auth.account)", ".validate":"newData.hasChildren(['ts', 'usr', 'msg'])", "usr": { // may only create messages from myself ".validate": "newData.val() === auth.account" }, "msg": { ".validate": "newData.isString()" }, "ts": { ".validate": "newData.isNumber()" } } } } } }A moderator authenticates via a separate PHP application. Use the custom login module to create a Firebase token for admins. Apply the security rules according to the data you store in that token.
Moderators only have permission to modify their own chat room... This should be pretty self explanatory by simply extending the user permissions above.
Guests arrive and authenticate via the separate PHP application. Use the custom login module to create a Firebase token for admins. Apply the security rules according to the data you store in that token.
(Or scrap the PHP app and just use Firebase's baked in authentication!)
Guests have read and write access, but may not delete anything. Use newData.exists() or newData.hasChildren(...) inside the ".write" rule to prevent deletion.
Guests cannot spoof other guests. Authentication tokens will prevent this
这篇关于Firebase安全规则适用于具有多个聊天室的应用程序的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
