firebase-security

问题 I'm writing the security rules for my Firestore database, and I got to the point where I'm probably writing too many checks and the authorization automatically fails. For example the rules for a specific path are service cloud.firestore { match /databases/{database}/documents { match /pending/{userId} { match /rate/{vendorId}/events/{eventId}/ratings/{rateId} { allow write: if request.auth.uid == userId && exists(/databases/$(database)/documents/vendors/$(vendorId)) // The vendor must exist &

问题 Closed . This question needs to be more focused. It is not currently accepting answers. Want to improve this question? Update the question so it focuses on one problem only by editing this post. Closed 3 years ago . I have been researching around the web on how to create a friends list system using firebase. So far I had no luck and was given resources that was not quite what I was looking for. The premise of the app is using the User Login & Authentication to create a account(completed),

问题 I am using Stripe for payments. For this, I have the following data model in Firestore: Users/{userId}/payments/{document} each {document} is an object that looks like: { amount: 55 token: {...} charge: {...} } Users must be able to to write the token field (this is what gets passed to the server), but I don't want users to be able to write the charge field. Currently my rules allow any user to read and write to this document: match /payments/{documents} { allow read, write: if request.auth

问题 I am using Stripe for payments. For this, I have the following data model in Firestore: Users/{userId}/payments/{document} each {document} is an object that looks like: { amount: 55 token: {...} charge: {...} } Users must be able to to write the token field (this is what gets passed to the server), but I don't want users to be able to write the charge field. Currently my rules allow any user to read and write to this document: match /payments/{documents} { allow read, write: if request.auth

问题 How can I check if there are only strings in request.resource.data.myArray ? Loops and recursive calls are not allowed. 回答1: This is not possible today, unless you know the size of the array, and you write an expression to check the element at each index. However, what you're asking is a reasonable thing to want to do, and you should file a feature request for it. Bear in mind, though, that it's a long way off from happening. The only way this would eventually work is if the rules language

问题 Currently, I have implemented a project folder structure similar to the below Project folder structure I have added the Phone authentication in my code. Now with the help of Firebase rules, I would like to restrict my users to access the child (Phone number 1) based on authenticated phone number. For instance, if I log-in with phone number "9999999999" then I would like to restrict the user to access only the child of "9999999999" in Firebase rules. Could you suggest me here to improve the

问题 I am creating security rules for my Firebase project and wanted to add UIDstring.length == 28 to my database rules. All of my users UIDs are 28 characters, but I wanted to check if they can be any longer or shorter? Thanks 回答1: A Firebase developer had this to say on their forums: I would not rely on a constant length for the UIDs forever. We chose the current value because it provides a big enough ID space while still being under the 36-character limit for Firebase Analytics user properties.

问题 This post describes how to tie multiple accounts to a single $uid in a users collection. Here's those security rules: "rules": { "users": { "$uid": { ".write": "auth != null && (data.val() === null || (auth.provider === 'facebook' && auth.id === data.child('facebookUid').val()) || (auth.provider === 'twitter' && auth.id === data.child('twitterUid').val()))" } }, "usersMap": { "facebook": { "$fuid": { ".read": "auth != null && auth.provider === 'facebook' && auth.id === $fuid", ".write": "auth

问题 I have a chat app where users can send photos in private or group chats. Each private or group chat has a unique chat id: /images/<chat id>/image.jpg How would one secure the access to this files so that only the chat members can view them? In the Firebase database I have a node with a structure like: /members/<chat id>/member1: true . Is this actually necessary, since the links are only posted to the corressponding chats? Can any authed user actually browse through the files saved in the

问题 I'm working on an app using Firebase. I have the following data structure on Firebase: { rules: { "version": { "threads": { "$thread": { "noticeList": { ".read": true, ".write": true }, "messages": { ".read": "root.child('version/threads/' + $thread + '/users/' + auth.uid).exists()", ".write": "root.child('version/threads/' + $thread + '/users/' + auth.uid).exists()" }, "$other": { ".read": "auth != null", ".write": "auth != null" } } } } } Each thread has subnode /users/ and I want to make a