我正在使用firebase实时聊天我的应用。登录是基于userId的。所以auth.uid就是这个userId。用户是许多个人资料(例如他的家庭成员)的所有者,并且个人资料可以属于多个用户(例如,儿童简档可以属于他的父亲和母亲)。现在聊天总是代表个人资料(即父亲和妻子可以代表他们的儿子发送chatMessage)。我想为此聊天设置安全规则。 我面临的问题是
只有其个人资料已创建聊天消息的用户才能编辑该消息。我无法设置此安全性,因为我必须将数组与数组进行比较,我必须在firebase不允许的安全规则中编写函数。
Users:{
userIdOfVed:{
profiles:{
userProfileIdOfVedSon:{
profileId:userProfileIdOfVedSon,
relation:son
},
__:{...},
__:{...},
...
}
},
__:{...},
__:{...},
...
}
Profiles:{
userProfileIdOfVedSon:{
chats:{
chatRoom1Id:{
caseId:case32Id,
chatRoomId:chatRoom1Id
},
chatRoom3Id:{
caseId:case42Id,
chatRoomId:chatRoom3Id
}
}
//...Other user data(like email, phone no.) which might be required
},
__:{...},
__:{...},
...
}
ChatMetadata:{
chatRoom1Id:{
createdOn:ISODate("2017-04-13T11:25:35.668Z"),
members:{
userProfileIdOfVedSon:{
userProfileId:userProfileIdOfVedSon
},
__:{...},
__:{...},
...
},
users:{},//I want to avoid putting this field as least as possible, but if its very critical for setting security, then there is no avoiding it.
caseId:case32Id,
lastMessage:"hello world"
//...Other chat meta data(like last message,etc) which might be required
},
__:{...},
__:{...},
...
}
Chats:{
chatRoom1Id:{
message1Id:{ //these are randomly generated messageIds by firebase
userId:userIdOfVed,
userProfileId:1,
message:"hello world",
timestamp:1459361875337 //can be replaced by a standard date time format
},
message2Id:{...},
message3Id:{...}
},
chatRoom2Id:{
message34Id:{...},
message69Id:{...}
}
}
//Rules for reading the realtime database
//The list of profiles can be put in the payload of the auth token (auth.profiles) which is not implemented yet
Users:{
$userId:{ //A user can only read/write/modify his $userId key-value object
"./read": "$userId == auth.uid"
}
}
Profiles:{
$profileId:{ //Can be read/write/modified by Users who have access to this profiles.
".read": "root.child('Users').child(auth.uid).child('profiles').child($profileId).exists()"
}
}
ChatMetaData:{
$chatRoomId:{ //Only the profiles who are present in its "members" keys can read it and a profile can only modify his $profileId entry in "members".
".read": "data.child('users').child(auth.uid).exists()"
}
}
Chats:{
$chatRoomId:{ //Only the profiles who are present in "ChatMetadata.$chatRoodId.members" keys can read it and push new values in it.(optional: modification to a child can be done only if that profile belongs to "ChatMetadata.$chatRoodId.members" & his profileId==the child.profileId)
".read":"I AM UNABLE TO FIGURE OUT THIS RULE, AS FIREBASE DOES NOT ALLOW FUNCTIONS INSIDE THIS."
}
}
TL; DR:我可以将数组与firebase安全规则中的数组进行比较,以设置层次结构规则