某些Firebase安全规则适用于云端功能中的管理员 [英] Some Firebase security rules apply for admin in Cloud Functions

问题描述

在更新或删除时，云端函数获得了拒绝服务的权限。

使用 auth.createCustomToken 这是目前不可用于默认帐户

  admin = require（'火力管理员）; 
 functions = require（'firebase-functions'）; 
 credential = admin.credential.cert（require（'./ credentials.json'））; 
 admin.initializeApp（{credential：credential，databaseURL：functions.config（）。firebase.databaseURL}）; 
  

阻止更新的安全规则：

< pre $ downloads：{
$ key：{
.write：data.val（）== null
}



$ b

用户用 push 转换为 / downloads ，Cloud Function会尝试更新并随后删除。这两个操作失败，即使管理帐户应该绕过所有安全规则，包括验证。

  FIREBASE WARNING：update at / downloads / Kexz33ljYjKblF_ZgUo失败：permission_denied 
 FIREBASE WARNING：set at / downloads / -Kexz33ljYjKblF_ZgUo failed：permission_denied 
  

如果将规则更改为此，第一个错误（更新）消失：



 downloads：{
$ key：{
.write：newData.child（'uid'）。val（）== auth.uid
} 
} 
  
 
 UPDATE 
 
 
 
解决方法是重新定义事件。 data.ref 为 
 
 
  ref = admin.database（）。ref（event.data。 ref.path.toString（））
  
 
 
解决方案
 a href =https://firebase.google.com/docs/reference/functions/functions.Event#data =noreferrer>  event.data  对象返回给你的Cloud函数的 onWrite（）回调，有两种类型的数据库引用：一个作用范围与触发写入的用户具有相同的权限（  event.data.ref  ）和一个具有管理权限的范围，授予完整的读写权限（  event.data.adminRef  ）。我不能说，因为你没有提供一个代码示例显示你的云功能，但我敢打赌，你正在使用 event.data.ref 。切换到使用 event.data.adminRef 应该可以解决您的问题。
 
Cloud Function gets a firebase permission denied error when updating or removing.

The service account is initialized with credentials from a file in order to use auth.createCustomToken which isn't currently available for the default account
admin = require('firebase-admin');
functions = require('firebase-functions');
credential = admin.credential.cert(require('./credentials.json'));
admin.initializeApp({credential: credential, databaseURL: functions.config().firebase.databaseURL});
The security rules that prevent the updates:
"downloads": {
  "$key": {
    ".write": "data.val() == null"
  }
}
The user inserts data with push into /downloads then Cloud Function tries to update and subsequently remove. Both of these operations fail even though admin accounts supposedly bypass all security rules including validation.
FIREBASE WARNING: update at /downloads/-Kexz33ljYjKblF_ZgUo failed: permission_denied
FIREBASE WARNING: set at /downloads/-Kexz33ljYjKblF_ZgUo failed: permission_denied
The first error (update) disappears if I change the rules to this:
"downloads": {
  "$key": {
    ".write": "newData.child('uid').val() == auth.uid"
  }
}


UPDATE

The workaround is to redefine event.data.ref to be
ref = admin.database().ref(event.data.ref.path.toString())

解决方案
Within the event.data object returned to your Cloud Function's onWrite() callback, there are two types of Database references: one that is scoped to to the same permissions as the user who triggered the write (event.data.ref) and one that is scoped with admin rights, granting full read and write access (event.data.adminRef). I can't tell since you didn't provide a code sample showing your Cloud Function, but I bet you are using event.data.ref. Switching to use event.data.adminRef should resolve your problem.

                        
这篇关于某些Firebase安全规则适用于云端功能中的管理员的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！