firebase - 使用规则将某些 key=val 对保护为公共或私有 VS 具有单独的公共和私有路径
问题描述
我正在尝试确定我应该如何组织一些可以是公共和私人实体混合的用户数据。有问题的实体是活动流事件。用户的追随者可以看到他们的活动流事件 - 但是用户可以将某些类别的事件标记为“公共”或“私人”,因此不会与他们的追随者分享。
一种方法是创建具有相应安全规则activity_streams_private的路径,然后云功能可以根据用户如何更新其隐私设置activity_streams_public来处理添加和删除的内容。activity_streams_public
"rules": {
"activity_streams_settings": {
"$userID": {
"read": "auth.uid == $userID",
"write": "auth.uid == $userID"
}
},
"activity_streams_private": {
// Users only write Activity Stream events here.
"$userID": {
"read": "auth.uid == $userID",
"write": "auth.uid == $userID"
}
},
"activity_streams_public": {
"$userID": {
// Every user can read public activity stream data
"read": "auth.uid != null",
// Only Cloud Functions can update what appears in
// a user's public activity stream by determining
// if an activity added to activity_streams_private
// is public or private using the
// activity_stream_settings data. Every settings
// change would cause the Cloud Function to read
// this entire subtree of data and write/delete a lot.
"write": false,
}
}
}
或者,您可以将所有用户的公共和私有 Activity Stream 事件保存在类似路径中activity_streams,然后具有基于查询的安全规则,仅允许关注者使用public=true属性查询 Activity Stream 事件。这仍然需要用户的设备(或云功能)在每次更改隐私设置时更新所有项目activity_streams以包含/排除该属性。public=true
"rules": {
"activity_streams_settings": {
"$userID": {
"read": "auth.uid == $userID",
"write": "auth.uid == $userID"
}
},
"activity_streams": {
"$userID": {
// Only children with the 'visibility=public' property
// can be read (or the owner of the activity stream).
// This method will mean that the ID of each Activity
// Stream event will be in the form of:
// timestampDescending_eventUUID so that the events
// are automatically sorted by newest first.
"read": "auth.uid == $userID || (auth.uid != null && query.orderBy = 'visibility' && query.equalTo = 'public')",
// Users can append Activity Stream events with a
// preset visibility property (public or private)
// but a Cloud Function will change the visibility
// property on events if a user changes their settings.
"write": "auth.uid == $userID",
}
}
}
我想我在问每种方法的缺点和优点是什么。基于查询的安全规则会减慢读取速度吗?随着用户群的增长,这两种解决方案是否更具可扩展性?在短短的约 5 分钟会话中,用户将生成 25 到 75 个活动流事件。
我担心的activity_streams_public是,即使不经常更改隐私设置,写入也可能会导致约 100 万用户出现可扩展性问题。想法?
解决方案
推荐阅读
- html - 创建一个覆盖整个屏幕的视频容器
- ios - Juno(iOS 版 Jupyter)指定加载数据集的目录
- java - org.thymeleaf.exceptions.TemplateInputException:模板解析时出错
- java - 如何在 IntelliJ Structural Replace 中将 Java 原语转换为盒装类型
- django-viewflow - 获取进程的当前任务
- reactjs - 如何在路由器减速器中管理自定义道具,如“isInnerPage”?
- azure - Azure AD B2C 注销响应消息
- node.js - 我们可以使用 Nodejs 的电话号码在没有移动应用程序的情况下在移动设备上发送推送通知吗?
- docker - 组合 docker-tag 和 shell-local 时打包器后处理器“未知工件类型”错误
- firebase - 从 functions.storage.ObjectMetadata.md5Hash 返回的无效哈希