云功能可以绕过Firestore安全规则吗 [英] Can cloud functions bypass firestore security rules

问题描述

我最近开发了Firestore和Firestore安全规则的实现.

I recently developed with the implementation of firestore and firestore security rules.

某些经过身份验证的用户可以获取数据(如果这些数据是由他们创建的)，这是应用程序的功能之一.

Certain authenticated users can grab data if they are created by them, was one of the feature of the app.

即 A创建X B创造Y A无法访问Y，B无法访问X.

i.e, A creates X B creates Y A can't access Y and B can't access X.

这是使用安全规则来确保的.

This is ensured using security rules.

我部署了具有云功能的应用程序，并且它充当了api.

I deployed the app with cloud functions, and this acts as an api.

模拟安全规则的过程没有失败，但是当调用api通过邮递员之类的工具进行访问时， A可以访问Y和X 和B可以访问X和Y.

Simulating the security rules passes without failure, but when called the api for accessing via tool like postman, A can access Y and X and B can access X and Y.

我阅读了这个堆栈溢出问题，该问题涉及如果我正在使用的Firebase-admin sdk覆盖覆盖安全规则.

I read this stack overflow question that talks about overwriting the security rule if used by firebase-admin sdk, which is what I am using.

但是我只是很好奇，还有其他方法可以限制外部api工具来获取这样的数据吗?

But i am just curious, is there any other ways to restrict outside api tools to fetch data like this?

这是链接

推荐答案

所有来自任何后端SDK的对Firebase和Cloud产品(实时数据库，Cloud Firestore，Cloud Functions)的访问都将完全绕过安全规则.这包括Firebase Admin SDK和任何其他Cloud SDK.安全规则仅适用于Web和移动客户端访问.

All access to Firebase and Cloud products (Realtime Database, Cloud Firestore, Cloud Functions) coming from any backend SDK will bypass security rules entirely. This includes the Firebase Admin SDK and any other Cloud SDKs. Security rules only apply to web and mobile client access.

这篇关于云功能可以绕过Firestore安全规则吗的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！