云功能似乎绕过了验证规则，但它不应该绕过验证规则 [英] Cloud functions seem to bypass validation rules, but it shouldn't

问题描述

    "connections-guests":{
      "$user_id":{
        "$to_user_id":{
          ".validate": "
            !root.child('/connections/' + $user_id + '/' + $to_user_id).exists()
          ",
          "score": {
              ".validate": "newData.val() * -1 <  now"
          },
          "$other": { ".validate": false }
        }
        }
    },

显然，在Cloud Functions上，当我创建此connections-guests节点时，无论.validate为何，它总是成功的.

Apparently, on Cloud Functions, when I create this connections-guests node, it's always successful, regardless of .validate.

但是，在模拟器中(写:root用户为true)，遵循验证规则.

However, in the simulator (write: true for root) , validation rule is respected.

推荐答案

您很有可能正在使用Cloud Functions代码中的Admin SDK访问数据库.当您使用默认设置初始化Admin SDK时，它将以完全特权运行，并且实际上绕过了安全规则.

Most likely you are accessing the database using the Admin SDK from within your Cloud Functions code. When you initialize the Admin SDK with its default settings it runs with full privilege and indeed bypasses the security rules.

如果您不想以管理权限运行，则可以通过event.data.ref 访问数据库，该服务器以触发该功能的用户身份运行.

If you don't want to run with administrative privilege, you can either initialize the Admin SDK to run at lower privilege, or you can access the database through event.data.ref, which runs as the user who triggered the function.

这篇关于云功能似乎绕过了验证规则，但它不应该绕过验证规则的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！