允许仅由某些用户访问Firebase存储存储桶-AllowFirebaseStorageBuckettobeaccessedonlybysomeusers

5  

I think the correct static rule would be :

我认为正确的静态规则是:

allow read, write: if request.auth.uid == 'a-user-id' || request.auth.uid == 'another-user-id' || ...

But I guess you are looking for dynamic rules :)

但我猜你正在寻找动态规则:)

For the owners it's quite simple to setup a dynamic rule with the folder name :

对于所有者来说,使用文件夹名称设置动态规则非常简单:

match /users-projects/{projectId}/{userId} {
    allow read, write: if request.auth.uid == userId 

For more complex cases like invited users, you can try using the custom metadata to store invited uids in the file, and match them against user id accessing that ressource, example rule:

对于受邀用户等更复杂的情况,您可以尝试使用自定义元数据在文件中存储受邀的uid,并将其与访问该资源的用户ID进行匹配,例如:

allow read: if resource.metadata.invited.matches(request.auth.uid);

The custom metadata values can only be strings, so I suggest you store them as coma-separated value so you can edit them easily, and at the same time use a simple match in the access rule.

自定义元数据值只能是字符串,因此我建议您将它们存储为逗号分隔值,以便您可以轻松编辑它们,同时在访问规则中使用简单匹配。

Note: this is only scalable while invitedUids.join(',') length is shorter than maximum length of custom metadata values. (I don't know that value). If your app is not built to accept hundreds of invited users, it should be ok, otherwise you might need to setup a server-side access mecanism which build a unique download link for each invited user, instead of relying on simple rules.

注意:这只是可扩展的,而inviteUids.join(',')的长度小于自定义元数据值的最大长度。 (我不知道那个价值)。如果您的应用程序不是为了接受数百个受邀用户而构建的,那么它应该没问题,否则您可能需要设置服务器端访问机制,为每个受邀用户构建一个唯一的下载链接,而不是依赖于简单的规则。

Also, I don't think you can use token groupId value to enforce access security in your case (as depicted in the docs), because you have a many-to-many relationship between users and folders/files. (users will not belong to only one group)

此外,我认为您不能使用令牌groupId值来强制执行您的案例中的访问安全性(如文档中所述),因为您在用户和文件夹/文件之间存在多对多关系。 (用户不仅属于一个组)

So, to answer your questions:

那么,回答你的问题:

• The resource object in the rules only apply to files, if using metadata to enforce access, they need to be updated on each file in the folder if they share the same access rules

规则中的资源对象仅适用于文件,如果使用元数据来强制访问,如果它们共享相同的访问规则,则需要更新文件夹中的每个文件

• The metadata is just a string->string key-value store, you just need to store user ids as a string in a arbitrary non-reserved key, as explained above.

元数据只是一个字符串 - >字符串键值存储,您只需将用户ID作为字符串存储在任意非保留键中,如上所述。

1  

Store individual project in a directory using their userid

使用用户标识将单个项目存储在目录中

• /users-projects/user_id/project1
• /users-projects/user_id/project2

     service firebase.storage {
         match /b/on-team.appspot.com/o {
           match /{allPaths=**} {
             allow read, write: if request.auth != null;
           }
         match /users-projects/{user_id} {
             allow read, write: if request.auth.uid == user_id 
         }
      }
    }