Firebase简单的博客(与安全规则混淆) [英] Firebase simple blog (confused with security rules)
问题描述
经过一个小时的阅读firebase教程困惑配置Firebase安全规则。
保存元素代码:
this.props.itemsStore .push({
text:this.state.text,
done:false,
user:this.props.user.uid
})
一切正常,但我如何获得所有记录只拥有但授权的用户?
这个规则不起作用:
rules: {
items:{
.write:auth!== null,
$ item:{
.read:data.child ('user')。val()== auth.uid
}
}
似乎没有办法获得所有记录只有一个用户,与安全规则,而不是这个,我应该使用像过滤器。但是,我不知道如何在ReactFire中过滤元素,在手册中没有任何信息。
举例如何在Parse http://i.stack.imgur.com/l9iXM.png
-
一旦您授予了阅读权限,您就可以使用权限级联功能。或在特定的级别上写入权限,则不能在较低级别上获得此权限。
/docs/security/guide/securing-data.html#section-filterrel =nofollow>规则不是过滤器 :(这实质上是前一个陷阱的结果)你不能使用安全规则返回针对特定用户的儿童的不同子集。用户可以访问节点,或者无法访问它。为第二个陷阱而下降。虽然用户可以访问每个特定的消息,它们是 permissions cascade: once you've granted a read or write permission on a specific level, you cannot take this permission away at a lower level
rules are not filters: (this is essentially a consequence of the previous pitfall) you cannot use security rules to return a different subset of children for specific users. Either a user has access to a node, or they don't have access to it.
user for,但它们不能查询更高级别的项目节点因为他们没有读访问权限。如果你想保护一个特定用户的消息/待办事项列表,你将需要存储该数据
items_per_user
$ uid
$ itemid:true
这在NoSQL数据库中非常常见,通常称为非规范化。请参阅这篇名为反规范化是正常的的文章在Firebase网站上。就Firebase API而言,这已经有些过时了,但是反规范化的架构原则仍然适用。
然后为了显示用户的项目,您应该:
$ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ b $ ref $ b .on('child_added',function(snapshot){
ref.child('items')
.child(itemId.key())
.once('value',function (itemSnapshot){
console.log(itemSnapshot.val());
});
})
许多新开发Firebase的开发人员认为内部循环加载数据的速度太慢。但是,Firebase在处理多个请求方面非常高效,因为它仅为每个客户端打开一个连接,并且管理内部循环中的所有请求。
I'm trying to create a simple todo or blog system based on React + ReactFire.
And after a hour of reading firebase tutorial confused about configuring firebase security rules.
Code for saving element :
this.props.itemsStore.push({
text : this.state.text,
done : false,
user : this.props.user.uid
})
Everything ok, but how i can get all records what owns only but authorized user?
This rules doesn't works :
"rules": {
"items" : {
".write" : "auth !== null",
"$item" : {
".read": "data.child('user').val() == auth.uid"
}
}
}
Seems to there no way to get all records only for one user, with security rules, instead of this, i should use something like filter. But again, i don't know how to filter elements in ReactFire, and in manuals no information.
As example how does it work in Parse http://i.stack.imgur.com/l9iXM.png
The Firebase security model has two common pitfalls:
You seem to be falling for that second pitfall. While the user can access each specific message that they are the user for, they cannot query the higher-level items node since they don't have read access to it.
If you want to secure a list of messages/todos for a specific user, you will need to store that data for that specific user.
items_per_user
$uid
$itemid: true
This is quite common in NoSQL database and is often called denormalizing. See this article called "denormalization is normal" on the Firebase web site. It's a bit outdated as far as the Firebase API goes, but the architectural principles on denormalizing still apply.
To then show the items for a user, you'd do:
ref.child('items_per_user')
.child(ref.getAuth().uid)
.on('child_added', function(snapshot) {
ref.child('items')
.child(itemId.key())
.once('value', function(itemSnapshot) {
console.log(itemSnapshot.val());
});
})
Many developer new to Firebase think that the inner loop will be too slow to load their data. But Firebase is very efficient when it comes to handling multiple requests, since it only opens a connection once per client and pipelines all the requests in the inner loop.
这篇关于Firebase简单的博客(与安全规则混淆)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
