1
我是Firebase的新手,並試圖瞭解安全規則。爲此,我正在實施項目 - 團隊成員 - 任務的典型功能。每個項目都有一個團隊負責人,多個成員和多個任務。Firebase規則:如何根據用戶角色限制訪問
這裏的結構和規則,我試圖實現(又名要求):
/Members - each member has { displayName, email, emailVerified }
any logged in user should be able to read data from Members (to get the
display names of all users)
any logged in user should be able to update his/her record
/Projects - each project has { Lead, Members{}, Name, Tasks{} }
any logged in user should be able to read the list of projects
any logged in user should be able to read the list of members (if possible
only for the projects where they are part of)
any logged in user should be able to read the list of tasks (if possible only
for the projects where they are part of)
only the team leader should be able to update project details i.e.
- add/remove members
- add/remove tasks
- change project title
/Tasks - { project, status, title }
team leader/team members should be able to read the tasks
team leader can add/edit/delete tasks
team members can update only status (of a task that is associated with their project)
team leader/team members should be able to filter project tasks based on
task status (completed/not completed)
我設置以下火力地堡規則:
{
"rules": {
"Members": {
".read": "auth != null",
"$mid" : {
".write": "auth != null && auth.uid == $mid"
}
}, // Members
"Projects": {
".read": "auth != null",
// only team lead can edit project details
".write": "auth != null && auth.uid == data.child('Lead').val()",
// Lead and Name are mandatory fields
".validate": "newData.hasChildren(['Lead', 'Name'])",
"Name": {
".validate": "newData.isString() && newData.val().length > 0"
},
"Lead": {
".validate": "root.child('Members/' + newData.val()).exists()"
},
"Members": {
"$mid": {
".validate": "root.child('Members/' + $mid).exists()"
}
},
"Tasks": {
"$tid": {
".validate": "root.child('Tasks/' + $tid).exists()"
}
}
}, // Projects
"Tasks": {
// allow read/write only if current user is team lead or a member of the project
".read": "(auth != null) && (data.child('project').val() == 'Project1')",
".write": "auth != null && (root.child('Projects/' + newData.child('project').val() + '/Lead').val() == auth.uid || root.child('Projects/' + newData.child('project').val() + '/Members/' + auth.uid).exists())",
".validate": "newData.hasChildren(['project', 'status', 'title'])",
"status": {
".validate": "newData.isString() && newData.val().length > 0"
},
// if team member is saving the item, allow changes only to status
"title": {
".validate": "(root.child('Projects/' + newData.parent().child('project').val() + '/Lead').val() == auth.uid) ? newData.isString() && newData.val().length > 0 : data.exists() && data.val() == newData.val()"
}
} // Tasks
} // rules
}
目前我正在評估.read功能。我還沒有測試過.write功能。
我可以得到Members列表(成員'displayName)爲一個給定的項目。 但是,雖然獲取項目的任務細節(從/Tasks)我得到權限拒絕錯誤。
請注意,我想使用.read規則與.write規則相同Tasks。但是,當我遇到錯誤時,我將其更改爲當前規則(例如,任何已通過身份驗證的用戶都可以讀取Project1 - Project1是項目的關鍵任務)。即使那樣,我也被拒絕了。如果我只保留"auth != null",那麼我可以閱讀任務,但這不是我想要的。
有人能幫助我理解我應該如何更改Firebase規則以實現上述要求?