我在Firebase中有一个名为' pending_members'其中包含一个成员列表,等待“所有者”授予的权限,因此,' pending_members'需要以下规则:
我尝试了各种安全规则,但似乎错过了许多极端情况,例如,用户被授予写入权限,因为数据包含他们的uid但他们可以随后提交其他人的uid
有人可以为这种情况建议适当的规则吗?非常感谢
"pending_members" : {
".write" : "auth !== null &&
// The user is authenticated AND
(newData.child(auth.uid).exists() ||
// The new data contains either the current user's id OR
(!newData.exists() &&
// There's no new data (a delete operation) AND
data === auth.uid))",
// The old data is the current user's id
"$member" : {
".validate" : "newData.isString()",
"$other": { ".write": false, ".read": false }
}
}
修改 结构示例:
users ->
personal_data ->
email (user email address)
first_name (user first name)
last_name (user last name)
networks_index ->
networks ->
members (list of uids of users linked to the network)
owner (uid of the owner/primary user)
pending_members (list of uids of users wishing to link to the network)
答案 0 :(得分:0)
Complicated structure you have but i will give it a try: Keep in mind standard value for read and write is false.
catch{}I have only concentrated on the pending_members here, I hope that is enough and it is clear enough. If it doesn't work i suggest testing each rule seperatly to see which one is causing a ploblem so I (or someone else) can help fix it.