我在roder中使用backbone.js编写应用程序来学习。你可以在这里找到我真正得到的东西:https://the-todo-app.firebaseapp.com/
我的想法是允许人们使用带有facebook的simpleLogin在应用程序中注册以创建用户,然后将他们重定向到他们的用户并被允许创建和修改他们的待办事项,但我遇到的问题是实际上每个用户都有写入用户文件夹的可能性,这意味着他们可以输入和删除或修改其他用户的数据。我想限制firebase的安全性,允许他们根据他们的id创建他们的用户,但如果他们没有经过身份验证,则不允许他们写。这就是我实际拥有的:
{
"rules": {
".read": true,
".write": true,
".validate": "data.hasChildren(['name', 'picture'])",
"users": {
"$user": {
".read": "$user == auth.id",
".write": "$user == auth.id"
}
}
}
}
麻生太郎尝试了这个:
{
"rules": {
".read": true,
"users": {
"$user": {
".read": "$user == auth.id",
".write": "$user == auth.id"
}
}
}
}
但这种方法不允许客户端创建用户ID。
这就是我的数据实际外观:
{
"users" : {
"10152111176005069" : {
"name" : "Jhonnatan Gonzalez Rodriguez",
"picture" : "url to pic"
},
"10154397958535078" : {
"name" : "Diana Rincón P",
"picture" : "url to pic"
},
"10152167159946759" : {
"name" : "Sebastian Ayala",
"picture" : "url to pic"
}
},
"title" : "The todo app"
}
如果你们知道如何做到这一点,我将不胜感激。
基于ArneHugo的回答我刚刚制定了这个规则并且似乎工作得很好,我需要做更多的测试才能确定。
{
"rules": {
"users": {
".write": "!data.child(auth.id).exists()",
"$user": {
".read": "$user == auth.id",
".write": "$user == auth.id",
".validate": "newData.hasChildren(['name', 'picture'])"
}
}
}
}
我实际上必须将.read规则的用户添加到true才能允许他们检查数据是否存在,这就是规则现在的样子。
{
"rules": {
"users": {
".read": "true",
".write": "!data.child(auth.id).exists()",
"$user": {
".read": "$user == auth.id",
".write": "$user == auth.id",
".validate": "newData.hasChildren(['name', 'picture'])"
}
}
}
}
这就是输出查找匿名用户的方式
Attempt to write {"id":"6726363"} to /users/6726363 with auth=null
/
/users:.write: "!data.child(auth.id).exists()"
5:30: child() expects a string argument.
=> false
/users/6726363:.write: "$user == auth.id"
=> false
/users/6726363:.validate: "newData.hasChildren(['name', 'picture'])"
=> false
Validation failed.
Write was denied.
这就是查找经过身份验证的用户的方式。
Attempt to write {"name":"6726363","picture":"fb picture"} to /users/6726363 with auth={"id":"6726363"}
/
/users:.write: "!data.child(auth.id).exists()"
=> true
/users/6726363:.validate: "newData.hasChildren(['name', 'picture'])"
=> true
/users/6726363:.validate: "newData.hasChildren(['name', 'picture'])"
=> true
Write was allowed.
这是匿名试图写入另一个用户数据的输出。
Attempt to write {"name":"6726363","picture":"fb picture"} to /users/10152111176005069 with auth=null
/
/users:.write: "!data.child(auth.id).exists()"
5:30: child() expects a string argument.
=> false
/users/10152111176005069:.write: "$user == auth.id"
=> false
/users/10152111176005069:.validate: "newData.hasChildren(['name', 'picture'])"
=> true
No .write rule allowed the operation.
Write was denied.
现在,通过这个例子发现,在数据库中具有现有id的经过身份验证的用户可以像这样写入另一个用户数据。
Attempt to write {"name":"6726363","picture":"fb picture"} to /users/10152111176005069 with auth={"id":"6726363"}
/
/users:.write: "!data.child(auth.id).exists()"
=> true
/users/10152111176005069:.validate: "newData.hasChildren(['name', 'picture'])"
=> true
/users/10152111176005069:.validate: "newData.hasChildren(['name', 'picture'])"
=> true
Write was allowed.
答案 0 :(得分:3)
你想要做的事情是完全可能的,我不同意加藤你应该使用不同类型的登录。
这就是你所需要的:
"rules": {
"users": {
//".write": "!data.exists()", /* Edit: removed, as it always returned false */
"$user": {
".read": "$user == auth.id",
".write": "$user == auth.id",
".validate": "newData.hasChildren(['name', 'picture'])"
}
}
}
Protip:使用Firebase中的模拟器测试安全规则。这是一个非常简单的工具。
修改
我做了一个测试,看看你是否真的需要一个读取规则来检查数据是否存在。 (答案:你没有。)
使用以下安全规则
"test": {
".write": "!data.child(auth.id).exists()",
"$user": {
".validate": "newData.hasChildren(['name', 'picture']) && $user == auth.id",
".read": "$user == auth.id",
".write": "$user == auth.id"
}
}
试图写一个新用户:
Attempt to write {"name":"Beardinator","picture":"i.imgur.com/axXz9sr.jpg"} to /test/1337 with auth={"id":"1337"}
/:.write: "root.child('adminPanel').child('admins').child(auth.uid).val() != null"
20:67: child() expects a string argument.
=> false
/test:.write: "!data.child(auth.id).exists()"
=> true
/test/1337:.validate: "newData.hasChildren(['name', 'picture']) && $user == auth.id"
=> true
/test/1337:.validate: "newData.hasChildren(['name', 'picture']) && $user == auth.id"
=> true
Write was allowed.
在我的测试中,我可以在“用户”没有.read规则的情况下检查数据是否存在。