Firebase security rules to read partial objects [duplicate]

问题

This question already has an answer here:

Firebase: How to structure public/private user data (1 answer)

Closed 2 years ago.

I can't figure out how to filter data using Firebase database. I've read that rules can't be used for filters. But then how?

I'd like a datastructure somewhat like the one below. i.e. a list of posts created by different users due for a specified time (user-id is not included in the layout below as I'm not sure where to put it)

posts: {
  "-LKwbZsfy55d24kwX4t1" : {
      when: {
        from: "2019-01-01 10:00",
        to: "2019-01-01 11:00"
      content: {
        text: "Hello"
      }
  },
  "-LKwbZsfy55d24kwX4t2" : {
      when: {
        from: "2019-01-02 10:00",
        to: "2019-01-02 11:00"
      content: {
        text: "Another hello"
      }
  }
}

I would like everyone to be able to read all posts so my sync path is '/posts'

BUT only the user that created the post should be able to see the 'content'. So I somehow need to say that posts has ".read" : true, and content has ".read": $uid == auth.uid (which is not possible since access cannot be revoked by a child path)

回答1:

If your current data structure makes it impossible to secure the data to your needs, considered restructuring it so that security rules become possible. In other words, don't nest protected data under public data. Put protected data in its own top-level child.

"posts-public": {
    "-LKwbZsfy55d24kwX4t1": {
        // public data here
    }
},
"posts-private": {
    "-LKwbZsfy55d24kwX4t1": {
        // private data here
    }
}

Now you can write security rules to protect them independently from each other.

回答2:

".read": "true", gives everyone to read data

And it should be looks like this (just for example):

"posts": {
      ".read": "true",
      "$postId": {
        ".read": "true",
        ".validate": "root.child('posts/'+$postId).exists()",
        "$contentId": {
            ".read": "auth !=null",
            ".write": "auth != null",
            ".validate": "(newData.hasChildren(['content']))",
             "content": {
                ".validate": "newData.val().length > 0"
            },
           "user": {
             ".validate": "newData.hasChildren(['id', 'name', 'avatar'])"
           }
         }
      }
    },
    "privatePost": {
      "$uid1": {
        "$uid2": {
          ".read": "auth != null && ($uid1 === auth.uid || $uid2 === auth.uid)",
          "$postId": {
            ".write": "auth != null",
            ".validate": "(newData.hasChildren(['content']))",
            "content": {
              ".validate": "newData.val().length > 0"
        },
            "user": {
              ".validate": "newData.hasChildren(['id', 'name', 'avatar'])"
            }
          }
        }
      }

来源：https://stackoverflow.com/questions/54102092/firebase-security-rules-to-read-partial-objects