firebase-security

问题 Here is my rules : rules_version = '2'; service firebase.storage { match /b/{bucket}/o { match /{country}/{type}/{allPaths=**} { allow read, write; } } } For some reason I can write and read in this path : child(Test).child("Image.jpg") but it shouldn't be. I should only be able to write and read in this path child(Test).child(Test2).child("Image.jpg") Test and Test2 are both variables. Am I missing something? 回答1: It's working as I would expect. In security rules version 2, recursive

问题 I have a collection reviews where each review contains a list of uid s of users who have liked it called likes . The schema looks like: review (collection) title string author uid likes [ uid ] posted timestamp user (collection) - uid created timestamp email string Currently, I'm handling a user liking a review with: firebase.firestore().doc(rid).update({ likes: firebase.firestore.FieldValue.arrayUnion(this.fetchCurrentUID()) }); And unliking with: firebase.firestore().doc(rid).update({ likes

问题 I have some questions about securing firebase database for mobile applications. For example, after decompiling Android application a hacker can get firebase api key and then get access to firebase database, is this correct? Let's assume, I added some security rules like for example an app can read/write on firebase only if auth!=null, this means that the authentication is protecting my firebase database, but this put me to ask the same question, if I configure facebook/google/ or even

问题 I have two collections - tenancies and users. A tenancy doc has a field called "landlordID" and is of type REFERENCE (not String). Now in my Firestore Security Rules I want to allow a tenancy to be updated ONLY IF the landlordID field of that tenancy matches with the uid of the user making the request, namely request.auth.uid . Read it as " allow a tenancy document to be updated if the user making the user is authenticated, hence request.auth.uid != null, and the landlordID field's ID should

问题 I have two collections - tenancies and users. A tenancy doc has a field called "landlordID" and is of type REFERENCE (not String). Now in my Firestore Security Rules I want to allow a tenancy to be updated ONLY IF the landlordID field of that tenancy matches with the uid of the user making the request, namely request.auth.uid . Read it as " allow a tenancy document to be updated if the user making the user is authenticated, hence request.auth.uid != null, and the landlordID field's ID should

问题 I am using Firebase Cloud Firestore, and I want to modify my rules to restrict users from querying a collection. This should not be allowed: firestore().collection("users").get() But this should be allowed: firestore().collection("users").doc("someUserId").get() Currently, my rules look like this: match /users/{userId} { allow read; } but this rule allows the "users" collection to be queried. How can I allow single document gets, but not collection queries? 回答1: You can break read rules into

问题 Is it possible to know the hostname of the source of an incoming request to a cloud firestore document? I would like to write a database rule of the form allow write: if request.resource.data.source_host_name == some_predefined_value . This is a web application so I'm trying to find a good way to limit who gets to write to my database without using traditional auth methods. 回答1: That sort of rule is not possible with Cloud Firestore. It also wouldn't be very secure, as it's possible to spoof

问题 Is it possible to know the hostname of the source of an incoming request to a cloud firestore document? I would like to write a database rule of the form allow write: if request.resource.data.source_host_name == some_predefined_value . This is a web application so I'm trying to find a good way to limit who gets to write to my database without using traditional auth methods. 回答1: That sort of rule is not possible with Cloud Firestore. It also wouldn't be very secure, as it's possible to spoof

问题 I am new to security rules. I have to write security rule to prevent a user to update a document except one field. lets say i have a doc { field1 : one, field2 : two, field3 : three, . . . fieldn : n } the user logged in should be able to update only field2. using firestore security rules. 回答1: There is no explicit way in security rules to validate the update that is happening. But what you can do is validate the data in the document before and after the write operation. By comparing those

问题 Database Rules for Documents Created with HTTP Cloud Function The attached image shows two things: Screenshot of Firestore database collection with one document that was created via http cloud function Screenshot of Firestore 2.0 rules. Rule The rule allow create: if request.resource.data.replyTo == "hello"; was written to prevent any document from being created unless 'replyTo' == "hello". Question Why was the document allowed to be created when 'replyTo' == 'john@smith.com' ? 回答1: Cloud