firebase-security

问题 When I try to read a document in my firebase, I want to be able to check, if the request is legit. For this reason, there is a token that is stored in the firebase. I only want to allow the access, if the token matches with the clients. So my security rules should check, if the token from the client is matching the one in the document. I can not do this with auth, as my App does not have a login and relies purely on the document id and token to access the data. So my question is, how can I

问题 I'm setting up my Firestore security rules, but run against one issue wherein I want to limit updating only one specific field within a document by using the hasOnly function. The problem is that I keep getting 'denied' results using the simulator. I'm surely doing something simple wrong... I'm trying to prevent that somebody could update other fields in the document than update_requested_time , but allow them to update this particular field. When using the example from the Firestore

问题 I'm setting up my Firestore security rules, but run against one issue wherein I want to limit updating only one specific field within a document by using the hasOnly function. The problem is that I keep getting 'denied' results using the simulator. I'm surely doing something simple wrong... I'm trying to prevent that somebody could update other fields in the document than update_requested_time , but allow them to update this particular field. When using the example from the Firestore

问题 I am getting a warning email from Firebase Firestore every day saying that: "any user can read your entire database" But in my case it's an open database where everyone can read the data. I have set up my security rules like so: service cloud.firestore { match /databases/{database}/documents { match /{document=**} { allow read: if true; allow write: if request.auth.uid == 'xxxxx'; } } } What is the problem and how do I stop this warning email? 回答1: You can turn these emails off from the

问题 I am modeling a database with Firestore, for a small company. I have a collection of departments. Each department is a document. In the company, there will never be more than 50 employees. I would like to keep each employee as a map. so a department document will be like this; { emp1: { name: 'tom', age:23, email: 'tom@x.com'}, emp2: { name: 'mike', age:35, email: 'mike@x.com'} } I would like to keep the age field private, it should be accessed only by superusers. From what I learnt, it is

问题 I am storing a collection of documents of blocked users. I am checking if the request is from a blocked user or not by checking if the email exist within the blocked collection allow read: if exists(/databases/$(database)/documents/blocked/$(request.auth.token.email)) == false; does checking if the document exist count as a read? 回答1: Yes, exists() counts as a read toward your billing. They also count against the max number of reads you can perform per request. 来源： https://stackoverflow.com

问题 I am struggling to get my head around some Firestore security concepts. I want to set up a rule based on the request.path property. My rule is this: service cloud.firestore { match /databases/{database}/documents { match /{document=**} { allow read, write: if request.path[0]=='appUsers'; } } } ...and I then use AngularFire2 to add a document like this... this.myAngularFirestore.doc('/appUsers/'+this.auth.auth.currentUser.uid).set({name: this.auth.auth.currentUser.displayName}) .then(()=

问题 I am working on tests for Cloud Firestore Rules, using mocha and Firestore Emulator , and the question is how to initialize some test data before running tests? To test my rules, I first need to initialize some test data. The problem is that I cannot put any data into a document when working with Emulator , documents only have id . I didn't find any example of setting up test data for Rules tests in the docs, so I tried to use both makeDocumentSnapshot from @firebase/testing and document

问题 I'm using REST API in a PHP project to send the data to Firestore DB through curl (PHP curl). I'm struggling in understanding how to setup an authentication rule for a "service" and the suggested approach through Google authorization looks overkilling to me. My data must be readable by ALL but writable just by my PHP server. So far I could ensure that a writing operation could happen only if in the dataset sent a specific code is provided (auth=123): service cloud.firestore { match /databases

问题 I'm kind of stymied on my Firebase read/write rules. I wish I had a way to set break points as it's checking authentication (there isn't a way, is there?). My question is fairly simple and I feel like I should be able to understand it better. I feel like most of stems from not understanding fully the rules. This information is for a simple way to view products online and the owner needs to be able to add products. So I want the world to be able to read and people who log in be able to write.