允许管理员用户读取/写入所有其他用户的firebase安全规则会造成安全漏洞? [英] firebase security rule to allow admin users to read/write all other users creates a security breach?
问题描述
我正在使用Cloud Firestore数据库,并且我的根数据库上有用户"集合,并且其中包含所有用户文档(称为uid),并且其中包含我收集的数据.我希望只允许用户读/写他们自己的集合,所以我从
I am using cloud Firestore database and I have 'users' collection on my root database and in it there are all the users documents (named as the uid) and inside it the data I collect. I wanted to allow users to only read/write to their own collections so I started my security rules with
service cloud.firestore {
match /databases/{database}/documents {
// Allow only authenticated content owners access
match /users/{userId}/{documents=**} {
allow read, write: if request.auth.uid == userId
}
}
}
然后我意识到用户没有创建自己的主文档的权限(将其创建为幽灵"文档).我还想向其中添加数据,例如显示名称和电子邮件,所以我添加了
then I realized that the users don't have permission to create their own main document (it created it as a 'ghost' document). I also want to add data to it such as display name and email, so I added
// Allow users to read/write their own main user object
match /users/{userId} {
allow read, write: if request.auth.uid == userId
}
一切正常,但现在我想允许管理员用户读取/写入所有用户的收藏夹和文档. firebase的文档建议在用户文档中添加键值例如(admin:true)
,因此像这样编辑我的安全规则应该可以解决问题:
all works well but now I want to allow admin users to read/write to all user's collections and documents.
firebase's documentations suggests adding a key-value to the user's document such as (admin:true)
, so editing my security rules like so should do the trick:
match /users/{userId}/{documents=**} {
allow read, write: if request.auth.uid == userId
allow read, write: if get(/users/$(request.auth.uid)).data.admin == true; //-security breach?
}
但这是否会造成安全漏洞,使用户可以使用(admin:true)
从技术上更新自己的文档并获得管理员特权?如果是这样,我想我的方法应该是创建一个单独的 admins
集合并在其中添加我的管理员,然后在
but doesn't it creates a security breach where a user can technically update his own document with (admin:true)
and gain admin privilege?
if so, i'm guessing my approach should be creating a separate admins
collection and add my admins there and then do something in the lines of
allow read, write: if get(/admins/$(request.auth.uid)) != null
?还是我可以使用更漂亮的东西?
? or is there something prettier I can use?
推荐答案
此规则确实将允许任何人将自己标记为管理员,从而破坏了规则的全部目的:
This rule is indeed going to allow anyone to mark themselves as an Admin, defeating the whole purpose of your rules:
allow read, write: if get(/users/$(request.auth.uid)).data.admin == true;
您想要做的是:
- 为管理员用户提供自定义
admin:true 代码>声明
,然后您可以使用以下方法检入规则:<代码>允许读,写:if auth.token.admin === true; - 在您的安全规则中为管理员保留明确的UID列表,然后在每个规则中进行检查.因此:
允许读取,写入:if isAdmin();
,然后function isAdmin(request){返回request.auth.uid =="KqEizsqUQ6XMkUgLUpNxFnzLm4F3"}
. > - 在Firestore中的另一个(通常不可写)集合中保留管理员UID的列表,并进行检查.这几乎就是您所描述的,并且如果您想快速,轻松地添加/删除管理员,这是最常用的方法.
这篇关于允许管理员用户读取/写入所有其他用户的firebase安全规则会造成安全漏洞?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!