数据库规则如下所示
{
"rules": {
"users": {
".read": true,
".write": "root.child('users').child(auth.uid).child('uid').val() === auth.uid"
}
}
}
用户对象如下所示:
{
"Eay5XLrspSZgdodEnZTBroStx1w2" : {
"displayName" : "Todd Bertsch",
"email" : "toddbertsch@gmail.com",
"emailVerified" : true,
"isAnonymous" : false,
"metadata" : {
"a" : "1512148002000",
"b" : "1512148002000",
"creationTime" : "Fri, 01 Dec 2017 17:06:42 GMT",
"lastSignInTime" : "Fri, 01 Dec 2017 17:06:42 GMT"
},
"photoURL" : "https://lh6.googleusercontent.com/-PtEgSTI46tI/AAAAAAAAAAI/AAAAAAAAMEk/Q0_IktNjsoI/photo.jpg",
"providerData" : [ {
"displayName" : "Todd Bertsch",
"email" : "toddbertsch@gmail.com",
"photoURL" : "https://lh6.googleusercontent.com/-PtEgSTI46tI/AAAAAAAAAAI/AAAAAAAAMEk/Q0_IktNjsoI/photo.jpg",
"providerId" : "google.com",
"uid" : "104351756542406315190"
} ],
"providerId" : "firebase",
"refreshToken" : "AEoYo8t7S_E-GrvHt9LUr9nV9Juzgk47p0otIpGy2Lp96W7VU12FB8n4t-N15_5jTZ60afp4fVp-KaJlS-j49FNi_2T38_Kwr2PhLhsIwpS1FwwYfhXbRlIux96VaGHiQOB2m1qH6KI2W1Je5gVGg8-k9G8DtppGjde8eHNZZW7lJNEvNcJdjeGQ6qAyWC5VqCsSkiCv1KKSnLauICd-yNcW3dK0G_oe7rFwjoDAsMPBQ-_Z-PN_cJdlSfTccQIG8WrjB42VhAPq33faMD2xL1Kv2aHs9IH7ngHmSFoNIQCmPicN_mWIvB-kDSKBU9eOhO9t8Dsma3suhqZiGPttASbPvfDP4ElVJrIGQ78TyU9BEXmUwiqGoa4",
"role" : "user",
"uid" : "Eay5XLrspSZgdodEnZTBroStx1w2"
},
}
但是,用户可以编辑不期望的其他用户数据。
答案 0 :(得分:0)
虽然我完全理解,但将其更改为此处提及的waay似乎有效https://www.firebase.com/docs/security/guide/user-security.html
{
"rules": {
"users": {
"$user_id": {
// grants write access to the owner of this user account
// whose uid must exactly match the key ($user_id)
".write": "$user_id === auth.uid"
}
}
}
}
答案 1 :(得分:0)
规则与您为其定义的节点有关。但另外,因为你使用uid作为关键,你可以做到
"users": {
"$uid": {
".write": "$uid === auth.uid"
}
}