firebase-security

问题 I really enjoy using Firebase, and I would like to use it in a new app, but the app would have the user upload sensitive information. I know Firebase uses https, but looking around, it seems Firebase does not yet make encryption at rest available. Is there a way around this to use Firebase and still make an administrator unable to read the data from the Firebase Forge, for instance? Thank you. 回答1: If you encrypt all data that you store in Firebase with a key that is only known to the client,

问题 Assume the following. posts : { "$postid":{ "meta":{ "state":true, "text" :"I should be read", }, "likes":{ "uid1":true, "uid2":true, }, }, "$postid":{ "meta":{ "state":false, "text" :"I should be read", }, "likes":{ "uid1":true, "uid2":true, "uid3":true, }, } } I want to query the parent node('posts') as follows. Leave out posts with state = false Prioritise posts with most likes Security Rules Deny posts with state == false to be read. Here's the Javascript Version Of how I'm querying data.

问题 I want to get all the users that are friends of the logged user. This is my data structure. { "users": { "UID1":{ "name":"Pepito", "friends":{ "UID2":true, "UID4":true, } } ... } } I am getting the users with this code Firebase.database.reference().child("users") .orderByChild("friends/" + Firebase.user.uid).equalTo(true) And the rules should be { "rules": { "users" : { ".read" : "query.orderByChild.contains('friends/')", "$uid" : { ".write": "auth.uid == $uid", } } } } But the rules not

问题 I am struggling to find a solution to prevent clients from just creating random fields with values in a document where they have write access to in Firestore. Since you cannot restrict access to single fields in Firestore like you could with the realtime database, this seems hard to achieve. A solution would maybe be to not allow creation of fields and just letting clients update fields, but this would mean you would have to precreate the fields for documents which is not really a good

问题 I have a following data structure as a firestore document and I want to set the security rule to each participants. { event_name: 'XXX', created_by: 'userid' participants: { userid_a: true, userid_b: true, userid_c: true, } } participants are set as array-like data to query the collection by using participant's userid. And I am updating the data as a following way const eventDoc = this.afs.doc('event/' + event_id ); participant_obj = {} participant_obj[`participant_obj.${user_id}`] = true;

问题 I have a Firestore security rule that check that an user has the proper code to access another document. service cloud.firestore { match /databases/{database}/documents { match /Orgs/{orgID} { allow read: if get(/databases/$(database)/documents/Users/$(request.auth.uid)).data.OrgCode == resource.data.Code; } } } This works great. However, if I try to move this check into a custom function like so: service cloud.firestore { match /databases/{database}/documents { match /Orgs/{orgID} { allow

问题 Structure: { "accounts" : { "JGeRgwAUBM..." : { "active" : true, "created" : 1468406951438, "key" : "JGeRgwAUBM..." } } Rules: { "rules": { ".read": false, ".write": false, "accounts": { "$uid": { ".read": "$uid === auth.uid", ".write": "$uid === auth.uid" } } } } Goal: Instead of using the auth.uid as key for the data, I would rather prefer to use the generated key from push().getKey() { "accounts" : { "theKeyIGetFrom: push().getKey()" : { "active" : true, "created" : 1468406951438, "auth

问题 Has any way to limit users to read based on time, using Firestore Rules? E.g: Limit a malicious user authenticated as an anonymous user to read a document several times per millisecond. This can cause elevate pricing for this multiples requests 回答1: There is no way to limit the rate of document reads using security rules. If you think someone is abusing the resources in your project, contact Firebase support and explain what you're observing. 来源： https://stackoverflow.com/questions/53227674

问题 by execution of firestore runTransaction function on the web, it occurs error below. firestore.googleapis.com/v1beta1/projects/myproject/databases/(default)/documents:commit:1 POST https://firestore.googleapis.com/v1beta1/projects/myproject/databases/(default)/documents:commit 403 i want to allow only update one field for everyone and others are for login user. so update rule uses next. allow update: if request.resource.data.keys().hasOnly(["numPlayed"]) || request.auth.uid != null; and

问题 In my Firestore based app I use the following query to retrieve some data: FirebaseFirestore.getInstance().collection("events").document( eventId ).collection("instances").get().addOnCompleteListener( .... ) This gives a permission denied stacktrace: FirebaseFirestoreException: PERMISSION_DENIED: Missing or insufficient permissions. The relevant part of my rules is as follows: match /events/{eventId} { allow create: if isCurrentUser( request.resource.data.owner ); allow read: if isOwner