问题
In order to let Android users register and login through my app I have set the .read and .write as true. My problem is anyone is able to access the users JSON file since it's public. How can I restrict the access to the database only through the app and Firebase console? Below are the rules:
{
"rules": {
".read": true,
".write": true
}
}
回答1:
Using the following rules:
{
"rules": {
".read": "auth != null",
".write": "auth != null"
}
}
You'll give read and write access only to authenticated users. For more information, please see the official documentation regarding Firebase security rules.
According to your comment, you should then verify if the user that performs an operation is actually the authenticated user. So for example, let's say you want only authenticated users to able to access their accounts, the following rules are required:
{
"rules": {
"users": {
"$uid":{
".read": "$uid === auth.uid",
".write": "$uid === auth.uid"
}
}
}
}
回答2:
This is depends on the situation of your project on how it works, If you want all authenticated users can read all users data, but cannot write to other users Database, this must be the rule. Current user can only write to his own Database
{
"rules": {
"users" : {
".read" : "auth != null",
"$user_id" : {
".write" : "auth != null && $user_id === auth.uid"
}
},
}
}
Rule below is for: Read and write to your own Database (No one can read and write except the currentUser)
{
"rules": {
"users" : {
"$user_id" : {
".read" : "auth != null && $user_id === auth.uid",
".write" : "auth != null && $user_id === auth.uid"
}
},
}
}
来源:https://stackoverflow.com/questions/54114203/what-rules-to-use-on-firebase-realtimedatabase-to-let-users-register-and-login