“抓住所有其他” Firebase数据库规则 [英] "Catch all other" Firebase database rule
问题描述
说我要保留任意名称的产品记录。每个产品都必须包含一个价格,但是没有别的东西是允许的。
我天真的做法是添加一个 .validate 规则到需要newData包含 price 子元素的产品,明确授予对价格节点,然后删除所有访问一个 $其他节点(有点像一个switch语句中的默认子句):
{
rules:{
$ product:{
.read:true,
.write:true,
.validate:newData.hasChildren(['price']),
price:{$ b $.write:true ,
.validate:newData.isNumber()
},
$ other:{
.read。:false,
.write:false,
$ c $ $ b 这是行不通的。使用 {price:1234,foo:bar} 添加新产品仍然会被接受。 然而,如果我将。validate:false 规则添加到 $ other 例如 {price:1234} 是不允许的) (我做错了,不知何故)
是否有某种方法来实现类似于我在此尝试的操作?如果没有,限制Firebase中数据结构的正确方法是什么?我应该这样做吗?什么停止用户填充我的数据库与垃圾,如果我不??解决方案
你已经陷入了几个常见的Firebase安全坑在这里。最常见的是权限级联:一旦您授予树中某个级别的读取或写入权限,您就不能在较低级别获取该权限。
这意味着这些规则是无效的(因为你已经被读/写了一个更高的级别):
$ other:{
.read。:false,
.write:false,
}
要解决这个问题,您必须认识到 .validate 规则是不同的:只考虑数据满足全部验证规则时有效。所以你可以用一个验证规则来拒绝 $ other 数据:
{
rules:{
$ product:{
.read:true,
.write:true,
.validate :newData.hasNumber()
。price:
.validate:newData.hasNildren(['price']),
,
$ other:{
.validate:false
}
}
}
}
Perhaps I'm tackling this problem too much from an SQL kind of perspective, but I'm having troubles understanding how to properly restrict which children should be allowed to populate a node.
Say that I want to keep a record of products with arbitrary names. Each product must contain a price, but nothing else is allowed.
My naive approach was to add a .validate rule to the products requiring newData to contain a price child, explicitly granting write access to the price node and then removing all access an $other node (somewhat like a default clause in a switch statement):
{
"rules": {
"$product": {
".read": true,
".write": true,
".validate": "newData.hasChildren(['price'])",
"price": {
".write": true,
".validate": "newData.isNumber()"
},
"$other": {
".read.": false,
".write": false,
}
}
}
}
This does not work. Adding a new product with {"price": 1234, "foo": "bar"} will still be accepted. If I however add a (I did that wrong, somehow.)".validate": false rule to $other, nothing is accepted instead (e.g. {"price": 1234} is not allowed).
Is there some way to implement something similar to what I'm trying to do here? If not, what is the proper way of restricting a data structure in Firebase? Should I do it at all? What stops the user from filling my database with trash if I don't?
You're falling into a few common Firebase security pits here. The most common one is that permission cascades down: once you've granted read or write permission on a certain level in the tree, you cannot take that permission away at a lower level.
That means that these rules are ineffectual (since you've granted read/write one level higher already):
"$other": {
".read.": false,
".write": false,
}
To solve the problem you must realize that .validate rules are different: data is only considered valid when all validation rules are met. So you can reject the $other data with a validation rules:
{
"rules": {
"$product": {
".read": true,
".write": true,
".validate": "newData.hasChildren(['price'])",
"price": {
".validate": "newData.isNumber()"
},
"$other": {
".validate": false
}
}
}
}
这篇关于“抓住所有其他” Firebase数据库规则的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
