我是 Firebase 新手,正在尝试了解安全规则。为此,我正在实现项目 - 团队成员 - 任务的典型功能。
每个项目都会有一个团队负责人、多个成员和多个任务。
这是我试图实现的结构和规则(也称为要求):
/Members - each member has { displayName, email, emailVerified }
any logged in user should be able to read data from Members (to get the
display names of all users)
any logged in user should be able to update his/her record
/Projects - each project has { Lead, Members{}, Name, Tasks{} }
any logged in user should be able to read the list of projects
any logged in user should be able to read the list of members (if possible
only for the projects where they are part of)
any logged in user should be able to read the list of tasks (if possible only
for the projects where they are part of)
only the team leader should be able to update project details i.e.
- add / remove members
- add / remove tasks
- change project title
/Tasks - { project, status, title }
team leader / team members should be able to read the tasks
team leader can add/edit/delete tasks
team members can update only status (of a task that is associated with their project)
team leader / team members should be able to filter project tasks based on
task status (completed / not completed)
我设置了以下 Firebase 规则:
{
"rules": {
"Members": {
".read": "auth != null",
"$mid" : {
".write": "auth != null && auth.uid == $mid"
}
}, // Members
"Projects": {
".read": "auth != null",
// only team lead can edit project details
".write": "auth != null && auth.uid == data.child('Lead').val()",
// Lead and Name are mandatory fields
".validate": "newData.hasChildren(['Lead', 'Name'])",
"Name": {
".validate": "newData.isString() && newData.val().length > 0"
},
"Lead": {
".validate": "root.child('Members/' + newData.val()).exists()"
},
"Members": {
"$mid": {
".validate": "root.child('Members/' + $mid).exists()"
}
},
"Tasks": {
"$tid": {
".validate": "root.child('Tasks/' + $tid).exists()"
}
}
}, // Projects
"Tasks": {
// allow read / write only if current user is team lead or a member of the project
".read": "(auth != null) && (data.child('project').val() == 'Project1')",
".write": "auth != null && ( root.child('Projects/' + newData.child('project').val() + '/Lead').val() == auth.uid || root.child('Projects/' + newData.child('project').val() + '/Members/' + auth.uid).exists() )",
".validate": "newData.hasChildren(['project', 'status', 'title'])",
"status": {
".validate": "newData.isString() && newData.val().length > 0"
},
// if team member is saving the item, allow changes only to status
"title": {
".validate": "(root.child('Projects/' + newData.parent().child('project').val() + '/Lead').val() == auth.uid) ? newData.isString() && newData.val().length > 0 : data.exists() && data.val() == newData.val()"
}
} // Tasks
} // rules
}
目前我正在评估.read
功能。我没有测试过.write
功能还没有。
我能够得到Members
名单(成员的displayName
)对于给定的项目。
但是在获取项目的任务详细信息时(来自/Tasks
)我收到权限被拒绝的错误。
请注意,我想使用.read
规则与.write
规则为Tasks
。但当我收到错误时,我将其更改为当前规则(这样,任何经过身份验证的用户都可以读取任务Project1
- Project1
是一个项目的关键)。即使那样我的许可也被拒绝。如果我只保留"auth != null"
然后我就可以阅读任务,但这不是我想要的。
有人可以帮助我了解我应该对 Firebase 规则进行哪些更改才能实现上述要求吗?