问题
I have the following database entry: "companies: 8":
I have the following database rules, which do not allow a simulated write of "companies: 8" to the database.
{
"rules": {
".read": "auth != null",
".write": "auth != null",
"companies": {
".validate": "(data.exists() && (newData.val() === data.val() + 1)) || (!data.exists() && newData.val() == 0)"
}
}
}
However, when I try to write "companies: 20" to the database with the Firebase Python SDK, which also is not allowed under these rules, it works:
In [1]: import firebase_admin
In [2]: from firebase_admin import credentials, db
In [3]: cred = credentials.Certificate('serviceAccountCredentials_dev_async.json
...: ')
In [4]: firebase_admin.initialize_app(cred, {'databaseURL': 'https://async-testi
...: ng.firebaseio.com/'})
Out[4]: <firebase_admin.App at 0x7fc50c00c080>
In [5]: ref = db.reference()
In [6]: ref.update({'companies': 20})
What am I doing wrong?
回答1:
You are using the Firebase Admin SDK and it looks like you are initializing with the credentials for a service account. In this case, no security rules are applied, I think not even validation rules.
If there is a reason you must you the Admin SDK and want validation rules to be performed, authenticate with limited priveleges:
As a best practice, a service should have access to only the resources it needs. To get more fine-grained control over the resources a Firebase app instance can access, use a unique identifier in your Security Rules to represent your service. Then set up appropriate rules which grant your service access to the resources it needs.
来源:https://stackoverflow.com/questions/45385431/firebase-rules-allowing-write-when-they-shouldnt-be