Firebase JSON安全和阵列 [英] Firebase JSON Security and Arrays
问题描述
我们希望在我们的(主要是非Firebase托管)项目中使用Firepad,但是我们遇到了一些麻烦,找出解决问题的最佳方法。
基本上,我们有很多用户,每个用户都可以成为很多组的成员。这些组每个都有自己的Firepad,用户可以编辑。我们已经有了一个深度开发的使用MySQL的数据库结构,现在不想真正把我们的用户数据迁移到Firebase中,所以我们认为我们会获得更多的创造力。
我们不希望用户能够编辑他们不属于的组的Firepads。因此,作为我们身份验证令牌的一部分,我们认为我们会尝试沿用户ID和他们所属的组列表发送。然后,使用Firebase JSON安全系统,我们可以验证当前正在编辑的Firepad是否在用户所属的组列表中。
问题是,JSON系统似乎不接受许多命令。没有indexOf,我不能在 auth 变量上调用 hasChild 。
我们如何才能确保用户只能编辑他们所属组的Firepads,而无需将所有数据迁移到Firebase? (或维护数据库的两个副本 - 一个在MySQL上,另一个在Firebase上)
这里的技巧是使用一个对象而不是一个数组来存储(有点尴尬,我知道,我们会尽量使这更容易/更直观)。所以在你的认证令牌中,你可以存储如下所示: :true,'group2':true,...}}
然后在你的安全规则中可能有这样的:
pre $
$ b $ group $ {
.read:auth.groups [$ group] == true,
.write:auth.groups [$ group] == true
}
}
然后用户将拥有对/ groups /< group>的读/写权限。只有< group>是在他们的身份验证令牌。
We'd like to use Firepad in our (mostly non-Firebase hosted) project, but we're having some troubles figuring out the best way to approach the problem.
Basically, we have many users, and each user can be a member of many groups. These "groups" each have their own Firepad which users can edit. We already have a deeply developed database structure using MySQL and don't really want to migrate our user data into Firebase right now, so we figured we'd get more creative.
We don't want users being able to edit the Firepads of groups they do not belong to. As such, as part of our authentication token, we figured we'd try sending along the user ID and the list of groups they belong to. Then, using the Firebase JSON security system, we could verify that the Firepad currently being edited is in the list of groups the user belongs to.
The problem is, the JSON system doesn't seem to accept many commands. There's no indexOf, and I can't call hasChild on the auth variable.
How can we ensure that users can only edit the Firepads of groups they belong to, without migrating all of our data to Firebase? (Or maintaining two copies of the database - one on MySQL and one on Firebase)
The trick here is to use an object instead of an array to store the groups (a tad awkward, I know. We'll try to make this easier / more intuitive). So in your auth token, you'd store something like:
{ userid: 'blah', groups: { 'group1': true, 'group2': true, ... } }
And then in your security rules you could have something like:
{
...
"$group": {
".read": "auth.groups[$group] == true",
".write": "auth.groups[$group] == true"
}
}
And then a user will have read/write access to /groups/<group> only if <group> is in their auth token.
这篇关于Firebase JSON安全和阵列的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
