firebase-security

问题 I am getting very high counts of Entity Writes in my firestore database. Write permission in most of the paths are restricted, done from back-end server using admin SDK. Only a very few paths have write access- specifically only to the users who are (authenticated & registered & joined and approved in a specific group), so even though the ways to abuse are apparently thin, yet hard to specifically identify. Only way I see- is to execute Cloud Functions on every write, and have the function

问题 I am getting very high counts of Entity Writes in my firestore database. Write permission in most of the paths are restricted, done from back-end server using admin SDK. Only a very few paths have write access- specifically only to the users who are (authenticated & registered & joined and approved in a specific group), so even though the ways to abuse are apparently thin, yet hard to specifically identify. Only way I see- is to execute Cloud Functions on every write, and have the function

问题 I have some trouble with Cloud function and firestore rules. I would like use cloud function with limited privilèges on Firestore and give only has access as defined in the Security Rules It's working without problem on RTDB but not on Firestore. I have try with this rules service cloud.firestore { match /databases/{database}/documents { match /init/{ID=**} { allow read, write: if true; } match /test/{ID=**} { allow read, write: if false; } } } And this const admin = require('firebase-admin')

问题 With a structure of /archive: { $userId: { $archiveKey: { foo: 1 }, ... }, ... } Where $userId references a user id and $archiveKey is dynamic, created by .push() . Is it possible to query the archive ref and get all archiveObjects where foo = 1 ? Or do I need to fetch down the whole table, manually dig into $userId and extract the archiveObjects I'm looking for? 回答1: Firebase queries can nowadays query nested paths, but the paths cannot be dynamic. So if you know the uid, you can query that

问题 Writing rules for Firestore it seems that custom variables are not working. Did anyone know why or have seen similar behaviour? Using the below I got access denied although the uid is in the array of admin. service cloud.firestore { match /databases/{database}/documents { match /conferences/{confid} { allow read,write: if request.auth.uid in get(/databases/$(database)/documents/conferences/$(confid)).data.admin; } } } Simulator is giving the below error: Function [get] called with path to

问题 This question already has answers here : Restricting child/field access with security rules (3 answers) Closed 3 years ago . When using .read with a true rule on the Users node, I give access to some authenticated user read every user listed on that tree. I need just some of then. I need some rule that works like a filter. So on getting User/ path, this authenticated user will get an users array of only those that have permission path like this $uid > permission > auth.uid = true . { "rules":

问题 I would like to limit the rate of data reads per user from the Realtime Database. There are good ways to limit writes like described here but I can't find any solution on how to limit data reads. Can this be done with Security Rules, Cloud Functions or can I limit it somewhere in the Firebase account? I have checked the documentation but can't find the answer. 回答1: This applies to both Realtime Database and Firestore, except with different terminology. (Location == document) You won't be able

问题 I have a database node called (people) that looks like this: people | | -------UserID1 //which is a random id | | | | | ----UserId2 //which is a random id | | | | | name:"some_name" | id:"UserId2" | image:"image_url" | | | -------UserId2 | | ----UserId3 | | name:"some_name" id:"UserId3" image:"image_url" If we look at the (people / UserID1 / UserId2) node : Since UserId1 and UserId2 are 2 random ids, then if we want to write a rule to UserId2 we will notice that it is 2 random id level deep.

问题 My request is pretty simple in appearence : limiting the number of documents in a subcollection using Firestore Rules. I already know that it is possible to know the size of an array using .size() . So, you may ask why I am not using an array to store my items ? Well, I want a "normal" user to not be able to update my parent document field but to be able to add a document to my subcollection. I already tried to do this : match /slots/{slot} { allow read: if true; allow write: if getRole() ==

问题 I have a list of records in firebase which will have a group property with zero or more groups on it. I also have the firebase auth object which will also have zero or more groups on it as well. I would like to set up a .read firebase rule for my records that will check if the two have at lease one group that exists in both lists. Put another way I have a user that has an array of groups that have been assigned to it. I have some records that also has some list of groups on them that specify