问题
I'm working on an app using Firebase. I have the following data structure on Firebase:
{
rules: {
"version": {
"threads": {
"$thread": {
"noticeList": {
".read": true,
".write": true
},
"messages": {
".read": "root.child('version/threads/' + $thread + '/users/' + auth.uid).exists()",
".write": "root.child('version/threads/' + $thread + '/users/' + auth.uid).exists()"
},
"$other": {
".read": "auth != null",
".write": "auth != null"
}
}
}
}
}
Each thread has subnode /users/ and I want to make a rule that only included users can read and write the messages in that thread.
There are one more condition that I have to access to noticeList when the new messages are added. However, these rules do not work. If there are other node rules in the '$thread', I couldn't get any respond when I used
firebase.child("version/threads/" + $thread + "/noticeList").once("value", function(snapshot) {});
or
firebase.child("version/threads").once("value", function(snapshot) {});
How can I fix it?
Thanks
回答1:
Your query starts at this:
firebase.child("version/threads/" + $thread + "/noticeList")
When you execute this query, Firebase checks if the user has rights to read the node. Which in this case the user doesn't, so the query fails.
This is a common mistake people make when it comes to Firebase security rules. The Firebase documentation explains it as "rules are not filters", which is exactly what you're trying to do.
Unfortunately for your scenario, the documentation also explains that "rules cascade". This essentially means that if you give users read access to noticeList, you cannot take te read access away at a lower level.
The easiest way to get this to work is probably to give each user their own index of notices they can access.
version
threads
$thread
userNoticeList
<userid1>
<messageid1>: true
<messageid2>: true
<userid2>
<messageid1>: true
<messageid3>: true
This is a fairly typical denormalization of the data.
来源:https://stackoverflow.com/questions/31249956/firebase-rules-cannot-access-to-each-node