向Firebase添加安全性以防止插入其他数据

时间:2016-02-12 13:25:16

标签: firebase firebase-security

我在Firebase中有一个名为' pending_members'其中包含一个成员列表,等待“所有者”授予的权限,因此,' pending_members'需要以下规则:

  1. 当前用户只能添加自己(uid)
  2. 当前用户只能从列表中删除自己(uid)
  3. '所有者'可以从列表中删除任何成员
  4. 只有'所有者'可以阅读清单
  5. 我尝试了各种安全规则,但似乎错过了许多极端情况,例如,用户被授予写入权限,因为数据包含他们的uid但他们可以随后提交其他人的uid

    有人可以为这种情况建议适当的规则吗?非常感谢

    "pending_members" : {
        ".write" : "auth !== null && 
            // The user is authenticated AND
            (newData.child(auth.uid).exists() ||
            // The new data contains either the current user's id OR
            (!newData.exists() &&  
            // There's no new data (a delete operation) AND
            data === auth.uid))",
            // The old data is the current user's id
    
    "$member" : {
        ".validate" : "newData.isString()",
            "$other": { ".write": false, ".read": false }
        }
    }
    

    修改 结构示例:

    users       ->
                    personal_data   ->
                                        email                   (user email address)
                                        first_name              (user first name)
                                        last_name               (user last name)
                    networks_index  ->
    networks    ->
                    members                 (list of uids of users linked to the network)
                    owner                   (uid of the owner/primary user)
                    pending_members         (list of uids of users wishing to link to the network)
    

    Data Example (image)

1 个答案:

答案 0 :(得分:0)

Complicated structure you have but i will give it a try: Keep in mind standard value for read and write is false.

catch{}

I have only concentrated on the pending_members here, I hope that is enough and it is clear enough. If it doesn't work i suggest testing each rule seperatly to see which one is causing a ploblem so I (or someone else) can help fix it.