仅显示具有子用户标识的项目
Show only items that have userid as child
这是我的规则:
{
"rules": {
"deck":{
".read":true,
".write":true,
".indexOn": "user"
}
}
}
目前我运行:
deckRef.once('value', function(dataSnapshot) {
console.log(dataSnapshot.ref());
});
我得到了我所有的数据returned:
{
"deck" : {
"-JkpwAnieKjQVsdtPD4m" : {
"deckName" : "Deck 1",
"user" : "simplelogin:1"
},
"-Jkq4unexm-qwhO_U2YO" : {
"deckName" : "Deck 2",
"user" : "simplelogin:1"
},
"-Jkq5-II1q5yM6w3ytmG" : {
"deckName" : "Deck 3",
"user" : "simplelogin:6"
},
"-Jks5mbMHmPB9MwnnOCj" : {
"deckName" : "Deck 4",
"user" : "simplelogin:1"
}
}
}
但我想阻止任何人访问与用户 ID 不匹配的项目。
我尝试将甲板部分更改为:
"deck": {
".read":"data.child('user').val() === auth.uid"
}
但这return没什么。理想情况下,如果用户 "simplelogin:1" 已登录,我希望它 return 仅项目 1、2 和 4,如果 "simplelogin:6" 已登录,我希望它仅是项目 3。
这是编写 Firebase 安全规则时的常见错误,如果我引用 relevant documentation:
可能最清楚
SECURITY AND FIREBASE RULES WORK FROM THE TOP-DOWN
This is a critical concept of understanding Security and Firebase Rules. The child rules can only grant additional privileges to what parent nodes have already declared. They cannot revoke a read or write privilege.
考虑到您要完成的任务,下一部分似乎也很相关:
Rules Are Not Filters
Rules are applied in an atomic manner. That means that an entire read or write operation is failed immediately if any child path under the data is not accessible.
因此,虽然您可能会根据 SQL 语句中的 WHERE
子句来考虑 Firebase 安全规则,但它们并不是这样工作的。如果你想为每个用户保护数据,你将不得不想出一种不同的方式来建模你的数据。安全指南有相当广泛(和复杂)example of securing a chat application.
这是我的规则:
{
"rules": {
"deck":{
".read":true,
".write":true,
".indexOn": "user"
}
}
}
目前我运行:
deckRef.once('value', function(dataSnapshot) {
console.log(dataSnapshot.ref());
});
我得到了我所有的数据returned:
{
"deck" : {
"-JkpwAnieKjQVsdtPD4m" : {
"deckName" : "Deck 1",
"user" : "simplelogin:1"
},
"-Jkq4unexm-qwhO_U2YO" : {
"deckName" : "Deck 2",
"user" : "simplelogin:1"
},
"-Jkq5-II1q5yM6w3ytmG" : {
"deckName" : "Deck 3",
"user" : "simplelogin:6"
},
"-Jks5mbMHmPB9MwnnOCj" : {
"deckName" : "Deck 4",
"user" : "simplelogin:1"
}
}
}
但我想阻止任何人访问与用户 ID 不匹配的项目。
我尝试将甲板部分更改为:
"deck": {
".read":"data.child('user').val() === auth.uid"
}
但这return没什么。理想情况下,如果用户 "simplelogin:1" 已登录,我希望它 return 仅项目 1、2 和 4,如果 "simplelogin:6" 已登录,我希望它仅是项目 3。
这是编写 Firebase 安全规则时的常见错误,如果我引用 relevant documentation:
可能最清楚SECURITY AND FIREBASE RULES WORK FROM THE TOP-DOWN
This is a critical concept of understanding Security and Firebase Rules. The child rules can only grant additional privileges to what parent nodes have already declared. They cannot revoke a read or write privilege.
考虑到您要完成的任务,下一部分似乎也很相关:
Rules Are Not Filters
Rules are applied in an atomic manner. That means that an entire read or write operation is failed immediately if any child path under the data is not accessible.
因此,虽然您可能会根据 SQL 语句中的 WHERE
子句来考虑 Firebase 安全规则,但它们并不是这样工作的。如果你想为每个用户保护数据,你将不得不想出一种不同的方式来建模你的数据。安全指南有相当广泛(和复杂)example of securing a chat application.