Firebase中的过滤和权限 [英] Filtering and Permissions in Firebase

问题描述

我询问了关于我的Firebase实施的这个问题。本质上，我试图构建我的Firebase数据库，这样我就可以拥有一个对象集合，一些用户访问这些对象的一个​​子集。

在我的示例中，我有任务。多个用户将使用此数据库，并根据Firebase的建议，所有用户的所有任务都是展平。每个用户都可以访问自己的任务，由任务对象中的 creatorId 指示。也许将来可能会扩展权限，以便与其他用户共享任务。但是现在，只有所有权和创建者可以读写他们自己的任务。

这实现起来微不足道使用查询。我不是安全专家，但是在我看来，以某种方式强制这些规则与客户端实现中的查询分离是一个重要的安全考虑因素。即使我的客户端以这种方式限制访问，并且所有访问都需要使用我们的自定义令牌提供程序进行身份验证，但是有人（另一个已通过身份验证的用户）可能会弄清楚我们如何检索数据，并访问其他用户的任务。

我知道规则不是过滤器（也请参阅这），但似乎是合理的我想问一下：

• >这是不是一个有意义的安全问题？


• 如果是这样，是否有类似Firebase的方式来执行我所描述的内容？在Firebase的安全示例中，这就像用户不会无法访问所有的房间或消息。这似乎是一个完全合理的软件设计决定（私人房间，在私人房间的消息等）
  
• 我是完全错过了这里的东西，或不了解的情况，或架构在一个非常天真的方式？
  

编辑：

我想第一次我读了结构化数据，我错过了使用索引定义复杂的关系，解决了这一点。 解决方案

我认为我第一次读我结构化数据，我错过了使用索引来定义复杂关系，这就解决了这一问题。

我想在这里做的是，如弗兰克van puffelen 澄清，在我的各种用户对象中，为每个用户可以访问的项添加一个键列表。

当我更新或上传项目时，这不会有太大变化（除了重复存储这些关系外）。

在获取和监听 .ChildChanged 事件时，我想不是设置一个 observeEventType 处理所有类型的对象，我将为每个用户有权访问的单个对象设置一个处理程序。

I asked this question about my Firebase implementation. Essentially, I was trying to structure my Firebase database so that I could have a collection of objects, with some users accessing a subset of these objects.

In my example, I have tasks. Multiple users will use this database, and per Firebase's suggestion, all the tasks for all users are flattened as children of one parent node. Each user can access their own tasks, indicated by a creatorId in a task object. Perhaps in the future permissions could be extended so tasks could be shared with other users. But for now, just ownership and the creator can read and write their own tasks.

This is trivial to implement using queries. I'm no security expert, but it seems to me that somehow enforcing these rules separate from queries inside client implementation is an important security consideration. Even if my client limits access in this way, and all access requires authentication with our custom token provider, it seems possible that someone (another authenticated user) could figure out how we are retrieving our data, and access other users' tasks.

I know Rules Are Not Filters (see this too), but it seems reasonable that one would want to secure data access in roughly this way.

My questions:

• Is this simply not a meaningful security concern?
• If it is, is there a Firebase-like way to do what I'm describing? In Firebase's security example, it would be like users wouldn't be able to access all rooms or messages. That seems like a perfectly reasonable software design decision (private rooms, messages in private rooms, etc.)
• Am I just totally missing something here, or not understanding the situation, or architecting this in a very naïve way?

Edit:

I think the first time I read I Structuring Data, I missed "Using Indices to Define Complex Relationships", which addresses this point.

解决方案

I think the first time I read I Structuring Data, I missed "Using Indices to Define Complex Relationships", which addresses this point.

What I want to do here is, as Frank van Puffelen clarifies, on my various user objects, add a list of keys for items that each user can access.

This won't change much (except duplicating storing these relationships) when I update or upload items.

When fetching and listening for .ChildChanged events, however, I think instead of setting up one observeEventType handler for all of one type of object, I'll have one handler for each individual object a user has access to.

这篇关于Firebase中的过滤和权限的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！