允许管理员用户读取/写入所有其他用户的firebase安全规则会造成安全漏洞? [英] firebase security rule to allow admin users to read/write all other users creates a security breach?

问题描述

我正在使用Cloud Firestore数据库，并且我的根数据库上有用户"集合，并且其中包含所有用户文档(称为uid)，并且其中包含我收集的数据.我希望只允许用户读/写他们自己的集合，所以我从

I am using cloud Firestore database and I have 'users' collection on my root database and in it there are all the users documents (named as the uid) and inside it the data I collect. I wanted to allow users to only read/write to their own collections so I started my security rules with

service cloud.firestore {
  match /databases/{database}/documents {
    // Allow only authenticated content owners access
    match /users/{userId}/{documents=**} {
      allow read, write: if request.auth.uid == userId
    }
  }
}

然后我意识到用户没有创建自己的主文档的权限(将其创建为幽灵"文档).我还想向其中添加数据，例如显示名称和电子邮件，所以我添加了

then I realized that the users don't have permission to create their own main document (it created it as a 'ghost' document). I also want to add data to it such as display name and email, so I added

// Allow users to read/write their own main user object
match /users/{userId} {
  allow read, write: if request.auth.uid == userId
}

一切正常，但现在我想允许管理员用户读取/写入所有用户的收藏夹和文档. firebase的文档建议在用户文档中添加键值例如(admin:true)，因此像这样编辑我的安全规则应该可以解决问题:

all works well but now I want to allow admin users to read/write to all user's collections and documents. firebase's documentations suggests adding a key-value to the user's document such as (admin:true), so editing my security rules like so should do the trick:

match /users/{userId}/{documents=**} {
  allow read, write: if request.auth.uid == userId
  allow read, write: if get(/users/$(request.auth.uid)).data.admin == true; //-security breach?
}

但这是否会造成安全漏洞，使用户可以使用(admin:true)从技术上更新自己的文档并获得管理员特权?如果是这样，我想我的方法应该是创建一个单独的 admins 集合并在其中添加我的管理员，然后在

but doesn't it creates a security breach where a user can technically update his own document with (admin:true) and gain admin privilege? if so, i'm guessing my approach should be creating a separate admins collection and add my admins there and then do something in the lines of

allow read, write: if get(/admins/$(request.auth.uid)) != null

?还是我可以使用更漂亮的东西?

? or is there something prettier I can use?

推荐答案

此规则确实将允许任何人将自己标记为管理员，从而​​破坏了规则的全部目的:

This rule is indeed going to allow anyone to mark themselves as an Admin, defeating the whole purpose of your rules:

allow read, write: if get(/users/$(request.auth.uid)).data.admin == true;

您想要做的是:

• 为管理员用户提供自定义 admin:true 声明，然后您可以使用以下方法检入规则:<代码>允许读，写:if auth.token.admin === true;
• 在您的安全规则中为管理员保留明确的UID列表，然后在每个规则中进行检查.因此:允许读取，写入:if isAdmin(); ，然后 function isAdmin(request){返回request.auth.uid =="KqEizsqUQ6XMkUgLUpNxFnzLm4F3"} .
>
• 在Firestore中的另一个(通常不可写)集合中保留管理员UID的列表，并进行检查.这几乎就是您所描述的，并且如果您想快速，轻松地添加/删除管理员，这是最常用的方法.

这篇关于允许管理员用户读取/写入所有其他用户的firebase安全规则会造成安全漏洞?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！