允许首次在Firebase中创建数据,然后限制访问

时间:2015-04-22 19:55:01

标签: javascript firebase firebase-security emberfire

我正在寻找一种解决方案,允许首次在Firebase中创建数据,然后限制对该数据所有者(或管理员)的访问。从本质上讲,我为业务创建了一个注册流程,该流程在Firebase中创建用户以及为该业务创建关联用户。不幸的是,根据我当前的架构和安全规则,我收到permission_denied错误。这是我当前的架构,由EmberFire使用hasMany< - >生成。属于businessemployee模型之间的关系:

+ businesses
  + business_id (generated by EmberFire)
    - name
    + employees
      - employee_id
      - employee_id
+ employees
  + employee_id (generated by Firebase's auth system)
    - first name
    - last name
    - business_id
    - role (ex: 99 for admin)

这是我的安全规则:

{
  "rules": {
    "businesses": {
      // allows only administrators of the business to read and write business data
      "$business_id": {
        ".read": "root.child('employees/' + auth.uid + '/business').val() === $business_id && root.child('employees/' + auth.uid + '/role').val() === 99",
        ".write": "root.child('employees/' + auth.uid + '/business').val() === $business_id && root.child('employees/' + auth.uid + '/role').val() === 99"
      }
    },
    "employees": {
      // only allow employees to read/write their own data or the admin of the business they belong to
      "$employee_id": {
        ".read": "auth.uid === $employee_id || (root.child('employees/' + auth.uid + '/role').val() === 99 && root.child('businesses/' + (root.child('employees/' + auth.uid + '/business').val()) + '/employees/' + $employee_id).exists())",
        ".write": "auth.uid === $employee_id || (root.child('employees/' + auth.uid + '/role').val() === 99 && root.child('businesses/' + (root.child('employees/' + auth.uid + '/business').val()) + '/employees/' + $employee_id).exists())"
      }
    }
  }
}

任何人都可以推荐一组更新的安全规则/架构,这些规则/架构允许在注册期间最初创建数据,然后只能由该数据的所有者/管理员访问吗?

注意:我目前正在运行Firebase 2.2.4和EmberFire 1.4.4。

提前致谢, 詹姆斯

更新

以下是注册过程中使用的代码:

// first, create the user account to be the admin of the business
_this.firebase.createUser({
  email: _this.get('email'),
  password: _this.get('password')
}, function(error, userData) {

  if (error) {
    flashMessages.warning(error);
  } else {

    // authenticate the user and log them in
    _this.get('session').authenticate('authenticator:firebase', {
      'email': _this.get('email'),
      'password': _this.get('password')
    }).then(function() {

      // create the business record
      var business = _this.store.createRecord('business', {
        name: _this.get('businessName')
      });

      // create the employee record and associate the firebase uid
      var employee = _this.store.createRecord('employee', {
        id: userData.uid,
        firstName: _this.get('firstName'),
        lastName: _this.get('lastName'),
      });

      // add the employee<->business relationship
      business.get('employees').then(function(employees) {
        employees.addObject(employee);
      });

      // save the records to Firebase
      employee.save().then(function() {
        business.save();
      });

    }).catch(function(error) {
      flashMessages.warning(error);
    });

  }

});

此外,这里是数据的快照,说明了我所描述的内容:

Data Snapshot

1 个答案:

答案 0 :(得分:3)

您的安全规则需要role = 99,但您永远不会设置它。

以下似乎可以解决您的问题:

// create the employee record and associate the firebase uid
var employee = _this.store.createRecord('employee', {
  id: userData.uid,
  firstName: _this.get('firstName'),
  lastName: _this.get('lastName'),
  role: 99
});

回答更大的问题,是的,写作是在多个部分完成的。 hasMany关系将单独保存,以免完全覆盖其他客户端上可能发生的任何更改。更具体地说,每个hasMany链接在单独的写入中添加或删除,因此可能有2个或更多写入。

对于您的代码,首先保存了business/<id>/employees<employee_id>链接,这意味着在第二次传递时 - 在编写主business/<id>哈希时 - 规则的!data.exists()部分失败。这很好,因为员工已创建并链接到业务,但role = 99检查也失败了。

相关问题
最新问题