问题
I have a firebase location with all of my app's stored messages as child objects.
I want clients to be able to get each message if they know the id of the message but not download the entire messages table.
What would the security rule for this look like?
Thanks.
回答1:
You can disallow a read on the parent, but allow reads if the ID is known:
"rules": {
"messages": {
// Disallow enumerating list of messages
".read": false,
".write": false,
"$messageID": {
// If you know the messageID you can read the message.
".read": true,
// Cannot overwrite existing messages (optional).
".write": "!data.exists()"
}
}
}
See https://github.com/firebase/firepano for an example app that uses unguessable URLs for security.
来源:https://stackoverflow.com/questions/17383168/firebase-limit-read-to-individual-children-but-not-to-parent