使用规则将某些key = val对作为具有独立公共路径和私有路径的公共VS或私有VS

时间:2019-01-22 23:11:31

标签: firebase firebase-realtime-database firebase-security-rules

我正在尝试确定如何组织一些用户数据,这些数据可以是公共实体也可以是私人实体的组合。有问题的实体是活动流事件。用户的关注者可以看到他们的活动流事件-但是,用户可以将事件的某些类别标记为“公开”或“私人”,因此不与关注者共享。

一种实现方法是创建具有各自安全规则的activity_streams_privateactivity_streams_public路径,然后Cloud Function可以根据如何处理从activity_streams_public添加和删除的内容用户更新其隐私设置。

"rules": {
    "activity_streams_settings": {
        "$userID": {
            "read": "auth.uid == $userID",
            "write": "auth.uid == $userID"
        }
    },
    "activity_streams_private": {
        // Users only write Activity Stream events here.
        "$userID": {
            "read": "auth.uid == $userID",
            "write": "auth.uid == $userID"
        }
    },
    "activity_streams_public": {
        "$userID": {
            // Every user can read public activity stream data
            "read": "auth.uid != null",

            // Only Cloud Functions can update what appears in
            // a user's public activity stream by determining
            // if an activity added to activity_streams_private
            // is public or private using the
            // activity_stream_settings data. Every settings
            // change would cause the Cloud Function to read
            // this entire subtree of data and write/delete a lot.
            "write": false,
        }
    }
}

或者,您可以将所有用户的公共和私有活动流事件保留在activity_streams之类的路径中,然后具有基于查询的安全规则,该规则仅允许追随者使用public=true查询活动流事件属性。这仍然需要用户的设备(或云功能)在每次更改隐私设置时更新activity_streams中的所有项目以包括/排除public=true属性。

"rules": {
    "activity_streams_settings": {
        "$userID": {
            "read": "auth.uid == $userID",
            "write": "auth.uid == $userID"
        }
    },
    "activity_streams": {
        "$userID": {
            // Only children with the 'visibility=public' property
            // can be read (or the owner of the activity stream).
            // This method will mean that the ID of each Activity
            // Stream event will be in the form of:
            // timestampDescending_eventUUID so that the events
            // are automatically sorted by newest first.
            "read": "auth.uid == $userID || (auth.uid != null && query.orderBy = 'visibility' && query.equalTo = 'public')",

            // Users can append Activity Stream events with a
            // preset visibility property (public or private)
            // but a Cloud Function will change the visibility
            // property on events if a user changes their settings.
            "write": "auth.uid == $userID",
        }
    }
}

我想我想问的是每种方法的弊端和好处是什么。基于查询的安全规则会减慢读取速度吗?随着用户群的增长,这两种解决方案是否更具可扩展性?在短短的约5分钟的会话中,用户将生成25至75个活动流事件之间的任何地方。

我对执行activity_streams_public的担心是,即使隐私设置很少更改,写入操作也会导致大约100万用户的可伸缩性问题。有想法吗?

0 个答案:

没有答案
相关问题
最新问题