firebase-security

问题 This question already has answers here : Validate a Firebase Key is an integer (2 answers) Closed 4 years ago . I am just getting started with Firebase security and probably I am missing something. I need to validate that after 'notification' the path(key) is 15 (later I will update 15 to be regex using matching method, but currently I am struggling enforcing this simple case): { "rules": { ".write": true, "notifications": { "$year": { ".validate": "newData.val() === '/15'", } } } } I am

问题 Seems like either the query.startAt rule is broken, or I don't understand it. Can someone confirm? Here is the minimal reproducible error. Live example; open Chrome console with CTRL+SHIFT+i. GitHub repo. database.rules.json: { "rules":{ ".read": "query.startAt>0", ".write": false } } index.html <!DOCTYPE html> <html> <body> <script src="/__/firebase/7.6.1/firebase-app.js"></script> <script src="/__/firebase/7.6.1/firebase-database.js"></script> <script src="/__/firebase/init.js"></script>

问题 I have a family, A, b, c, d , and A is the leader. We have an intruder, E . We only want b, c, d to read/write A's data. ALL OF THESE letters (b, c d,...) will be the UID's Here is what I have so far: Everyone is authenticated with email. People send requests to A to be allowed in his group. If he accepts, they can read/write to his. Design for database Firebase { "Leaders" : { "A" : { "ALLOWED" : { "b" : 0, "c" : 0, "d" : 0 }, "DATA" : { "blah blah1" : "content writable by bcd", "blah blah2"

问题 I want to create a chat application using firebase real time db, I already have my own server and my own authentication for my users and recipient. So basically what I want to do is: I want my server to able to generate room, and its room secret key, so only to people I share the secret key who can access the room, do read and write maybe the flow is like this 1. The server create a POST using REST API to this url curl -X PUT \ https://example-chat-92682.firebaseio.com/order-test.json \ -d '{

问题 I have a firebase location with all of my app's stored messages as child objects. I want clients to be able to get each message if they know the id of the message but not download the entire messages table. What would the security rule for this look like? Thanks. 回答1: You can disallow a read on the parent, but allow reads if the ID is known: "rules": { "messages": { // Disallow enumerating list of messages ".read": false, ".write": false, "$messageID": { // If you know the messageID you can

问题 I have a firebase location with all of my app's stored messages as child objects. I want clients to be able to get each message if they know the id of the message but not download the entire messages table. What would the security rule for this look like? Thanks. 回答1: You can disallow a read on the parent, but allow reads if the ID is known: "rules": { "messages": { // Disallow enumerating list of messages ".read": false, ".write": false, "$messageID": { // If you know the messageID you can

问题 A big problem I am having with Firestore Rules is that using the Simulator in the Firebase Console to simulate database accesses does not correspond to the behavior I am seeing from my clients. Now I have stumbled accross an issue that I cannot seem to fix. Issue The following syntax works fine in the simulator : allow create: if request.writeFields.hasAll(["a", "b", "c"]); When requesting with the exact same fields from my Android client, I get Error performing setData, PERMISSION_DENIED:

问题 This is how the rules are defined on firebase: { "rules": { "users": { ".read": true, "$user_id": { ".write": "auth.uid === $user_id", ".read" : true }}}} I have succesfully written new user information in my register activity using setValue() just like below, and also added new comments using push().setValue(), each time I didn't have an issue with authentication. New user written straight to http://DB/users/ while comments were added very deep. Here is a code snippit, my code hits the Log:

问题 I have been looking at the demos of Firebase and i am amazed at the functionality and flexibility to store data online. Also looked at the AngularJS Projects tutorial on its homepage, with Firebase as the backend. However, before starting to use it in my web application, i have few questions like: Where exactly is all my data stored? What if my data gets lost in the future due to hardware failure or any other issue? Will it be safe to rely on Firebase, for the security of my app data from

问题 How do I check if user on client sided created document with only firebase.firestore.FieldValue.serverTimestamp() ? I have following: allow create: if request.resource.data.timestamp == ?? What should I have instead of ?? . I have tried serverTimestamp() firebase.firestore.FieldValue.serverTimestamp() , now or now() but it doesn't work. It is possible to do it in Firebase like this: ".validate": "newData.child('timestamp').val() === now" I am looking for the same solution. Any ideas? Thanks