更改Firebase Cloud规则 [英] Changing the Firebase Cloud rules

问题描述

我的Firebase Cloud数据库中有以下规则:

I have the following rules in my Firebase Cloud database:

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow read, write: if true;
    }
  }
}

我不断收到这样的电子邮件:

I keep getting emails saying that:

我们检测到您的安全规则存在以下问题:

We've detected the following issue(s) with your security rules:

• 任何用户都可以读取您的整个数据库
• 任何用户都可以写入您的整个数据库

在我们的主屏幕中，用户只能通过使用电子邮件+密码或通过短信获得的电话号码+代码签名来进入该应用程序.两者都可以与Firebase身份验证服务一起使用.在那种情况下应该有什么规则?

In our main screen, user can enter the app only by signing with email + password or with his phone number + code that he gets via SMS. Both work with the Firebase auth serivce. What should be the rules in that case?

推荐答案

如果只想允许经过身份验证的用户访问，则可以如下修改规则:

If you only want to allow access to authenticated users, you would modify your rules as follows:

// Allow read/write access on all documents to any user signed in to the application
rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow read, write: if request.auth != null;
    }
  }
}

话虽如此，请注意以下两点:

Having said that, note the following two points:

• 通过执行/{document=**}(即使用递归通配符 >)，您可以将这些规则应用于Firestore数据库的所有集合/文档.最好为每个集合明确定义规则，以便以更细粒度的方式控制对每个集合的访问.这样，您就可以避免以后在创建新的非公开集合时出现任何错误，而忘记修改安全规则.
• 别忘了拥有Firebase项目的Web API密钥(在应用程序的源代码中并不难找到)的任何人都可以为Firebase项目创建帐户，例如，只需简单地调用 Firebase Auth REST API .换句话说，此规则仅允许经过身份验证的用户访问您的数据库，但是默认情况下，任何人都可以成为经过身份验证的用户.

• By doing /{document=**} (i.e. using recursive wildcard) you apply these rules to all the collections/document of the Firestore database. It may be better to explicitly define the rules for each collection, in order to control the access to each collection in a more fine-grained manner. This way, you avoid any mistake in the future where you create a new non-public collection but forget to adapt the security rules.
• Do not forget that anyone that has the Web API Key of your Firebase project (which is not difficult to find in the source code of your app) can create an account to your Firebase project, for example with a simple call to the Firebase Auth REST API. In other words, this rule only allows authenticated users to access your DB, but, by default, anyone can become an authenticated user.

这篇关于更改Firebase Cloud规则的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！