问题
I have rules set up that ensure a foreign key like constraint: when I put data at a certain path, the key is validated to exist at another node.
Rule snippet:
"app": {
"freebies": {
"$provider_id": {
".validate": "newData.parent().parent().parent().child('app').child('providers').child($provider_id).val() != null"
}
}
}
If I run a simulation with these params
Write to /app/freebies
width data: {"totally_fake": 1}
This fails, which is CORRECT.
On the other hand, if I just go to the online editor and add a node to the same location with the same data, it writes the DB without errors.
My question is: does the online editor bypass the security rules ?
回答1:
Yes, it does. The Firebase console, as well as the Admin SDKs, bypass security rules and have "administrative" access to the Realtime Database.
来源:https://stackoverflow.com/questions/43945118/does-the-firebase-database-online-editor-ignore-security-rules