Firebase规则允许在不应该写入的情况下进行写入 [英] Firebase rules allowing write when they shouldn't be
问题描述
我有以下数据库条目:公司:8:
我有遵循数据库规则,不允许模拟写入公司:8到数据库。
{
rules:{
.read:auth!= null,
.write:auth!= null,
companies:{
.validate:(data.exists()&(newData.val )=== data.val()+ 1))||(!data.exists()& newData.val()== 0)
}
}
但是,当我尝试使用Firebase Python SDK编写公司:20数据库时,这些规则也不允许这样做:
In [1]:import firebase_admin
In [2]:from firebase_admin import credentials,db
In [ 3]:cred = credentials.Certificate('serviceAccountCredentials_dev_async.json
...:')
在[4]:firebase_admin.initialize_app(cred,{'databaseURL':'https :// async-testi
...:ng.firebaseio.com/'})
Out [4]:< firebase_admin.App at 0x7fc50c00c080>
$ b $在[5]:ref = db.reference()
在[6]:ref.update({'companies':20})
我在做什么错?
如果您有一个理由,您必须使用Admin SDK并且要执行验证规则,使用有限权限进行身份验证:
最佳做法是服务只能访问它所需的资源
。要更好地控制
Firebase应用程序实例可以访问的资源,请在
安全规则中使用唯一标识符来表示您的服务。然后设置适当的
规则,使您的服务可以访问所需资源。
I have the following database entry: "companies: 8":
I have the following database rules, which do not allow a simulated write of "companies: 8" to the database.
{
"rules": {
".read": "auth != null",
".write": "auth != null",
"companies": {
".validate": "(data.exists() && (newData.val() === data.val() + 1)) || (!data.exists() && newData.val() == 0)"
}
}
}
However, when I try to write "companies: 20" to the database with the Firebase Python SDK, which also is not allowed under these rules, it works:
In [1]: import firebase_admin
In [2]: from firebase_admin import credentials, db
In [3]: cred = credentials.Certificate('serviceAccountCredentials_dev_async.json
...: ')
In [4]: firebase_admin.initialize_app(cred, {'databaseURL': 'https://async-testi
...: ng.firebaseio.com/'})
Out[4]: <firebase_admin.App at 0x7fc50c00c080>
In [5]: ref = db.reference()
In [6]: ref.update({'companies': 20})
What am I doing wrong?
You are using the Firebase Admin SDK and it looks like you are initializing with the credentials for a service account. In this case, no security rules are applied, I think not even validation rules.
If there is a reason you must you the Admin SDK and want validation rules to be performed, authenticate with limited priveleges:
As a best practice, a service should have access to only the resources it needs. To get more fine-grained control over the resources a Firebase app instance can access, use a unique identifier in your Security Rules to represent your service. Then set up appropriate rules which grant your service access to the resources it needs.
这篇关于Firebase规则允许在不应该写入的情况下进行写入的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!