问题
I have a family, A, b, c, d, and A is the leader. We have an intruder, E. We only want b, c, d to read/write A's data.
ALL OF THESE letters (b, c d,...) will be the UID's
Here is what I have so far:
Everyone is authenticated with email. People send requests to A to be allowed in his group. If he accepts, they can read/write to his.
Design for database Firebase
{
"Leaders" : {
"A" : {
"ALLOWED" : {
"b" : 0,
"c" : 0,
"d" : 0
},
"DATA" : {
"blah blah1" : "content writable by bcd",
"blah blah2" : "content writable by bcd"
},
"REQUESTS" : {
"E" : 0
}
}
}
}
I can use CRUD to move the b, c, d but how do I make the rules so that it follows that only people in the ALLOWED can read/write data for each leader?
{
"rules": {
".read": "auth != null",
".write": "auth != null"
"Leaders":{
".write": "$uid == ????"
}
}
}
Thanks for helping!
回答1:
Should be a matter of checking if the node exists under the current leader:
{
"rules": {
"Leaders":{
"$leaderuid": {
".write": "$leaderuid == auth.uid",
"DATA": {
".write": "data.parent().child('ALLOWED').child(auth.uid).exists()"
}
}
}
}
}
Things I changed:
- Remove the top-level read/write rules. Otherwise any authenticated user can read/write all data and you can never take that permission away at a lower level anymore.
- The leader can write their entire node. I use
auth.uidhere as described in the documentation on securing user data. - A user can only write under
DATAif their uid exists in theALLOWEDnode.
来源:https://stackoverflow.com/questions/40838578/firebase-read-write-permission-for-certain-users