消防安全规则

Question

我有以下格式的防火墙数据-

  "requests" : {
    "-KpPjt5jQZHBalQRxKSK" : {
      "email" : "pariksheet@agsft.com",
      "itemId" : "-KmazkKp5wavdHOczlDS",
      "quantity" : 1,
      "status" : "new"
    },
    "-KpZsw3KHE9oD1CIFQ4R" : {
      "email" : "pbarapatre@gmail.com",
      "itemId" : "-Kmb-ZXfao7VdfenhfYj",
      "quantity" : 1,
      "status" : "new"
    }
  }

每个请求都包含

"email" <- user's email id who has initiated the request.
"itemId" <- id of requested item
"quantity" <- item quantity
"status" <- "new" | "approved" | decline.

我正在努力编写Firebase规则，该规则将：

• 允许经过身份验证的用户访问/只读取由他/她引发的请求。
• 允许管理员用户读取/更新所有请求。

我目前的规则如下：

{
  "rules": {
    ".read": false,
    ".write": false,
    "items" : {
    ".read": "auth != null",
    ".write": "root.child('roles').child(auth.uid).val() === 'admin'"
    },
    "requests": {
        ".write": "root.child('roles').child(auth.uid).val() === 'admin'", /*Only Admins can update request*/
        "$rId": {
            ".read": "data.child('email').val() == auth.email || root.child('roles').child(auth.uid).val() === 'admin'"/*Request owner and admin can only read the particular request*/
        }
    }
  }
}

我维护了具有{ "uid“：”角色“}的独立节点角色。

我正在使用AngularFire2查询我的应用程序中的Firebase。

用于检索具有给定状态的请求的示例代码如下所示

const queryList$ = this.db.list('/requests', {
    query: {
        orderByChild: 'status',
        equalTo: status
    }
})

谢谢帕里

Answer 1

我建议你做以下修改：

在数据库的根目录中创建一个新的对象admins

"admins": {
    "<ADMIN_1_UID>": "true",
    "<ADMIN_2_UID>": "true"
}

然后对您的安全规则进行如下更改：

"rules": {
    "admins": {
        ".read": false,
        ".write": false /*This ensures that only from firebase console you can add data to this object*/
    },
    "requests": {
        ".read": "root.child('admins').child(auth.uid).val()",
        ".write": "root.child('admins').child(auth.uid).val()", /*Only Admins can read/update all requests*/
        "$rId": {
            ".read": "data.child('email').val() == auth.email"/*Request owner can read only the particular request*/
        }
    }
}