Firebase规则允许在不应该写入的情况下进行写入 [英] Firebase rules allowing write when they shouldn't be

问题描述

我有以下数据库条目：公司：8：

我有遵循数据库规则，不允许模拟写入公司：8到数据库。

  {
rules：{
.read：auth！= null， 
.write：auth！= null，
companies：{
.validate：（data.exists（）&（newData.val ）=== data.val（）+ 1））||（！data.exists（）& newData.val（）== 0）

} 
 } 
  

但是，当我尝试使用Firebase Python SDK编写公司：20数据库时，这些规则也不允许这样做：

  In [1]：import firebase_admin 
 
 In [2]：from firebase_admin import credentials，db 
 
 In [ 3]：cred = credentials.Certificate（'serviceAccountCredentials_dev_async.json 
 ...：'）
 
在[4]：firebase_admin.initialize_app（cred，{'databaseURL'：'https ：// async-testi 
 ...：ng.firebaseio.com/'}）
 Out [4]：< firebase_admin.App at 0x7fc50c00c080> 
 $ b $在[5]：ref = db.reference（）
 
在[6]：ref.update（{'companies'：20}）
  

我在做什么错？

解决方案

您正在使用Firebase Admin SDK，看起来像用服务帐户的凭证初始化。在这种情况下，没有应用安全规则，我认为甚至没有验证规则。

如果您有一个理由，您必须使用Admin SDK并且要执行验证规则，使用有限权限进行身份验证：

最佳做法是服务只能访问它所需的资源
。要更好地控制
Firebase应用程序实例可以访问的资源，请在
安全规则中使用唯一标识符来表示您的服务。然后设置适当的
规则，使您的服务可以访问所需资源。

I have the following database entry: "companies: 8":

I have the following database rules, which do not allow a simulated write of "companies: 8" to the database.

{
  "rules": {
      ".read": "auth != null",
      ".write": "auth != null",
        "companies": {  
              ".validate": "(data.exists() && (newData.val() === data.val() + 1)) || (!data.exists() && newData.val() == 0)" 
        }
  }
}

However, when I try to write "companies: 20" to the database with the Firebase Python SDK, which also is not allowed under these rules, it works:

In [1]: import firebase_admin

In [2]: from firebase_admin import credentials, db

In [3]: cred = credentials.Certificate('serviceAccountCredentials_dev_async.json
   ...: ')

In [4]: firebase_admin.initialize_app(cred, {'databaseURL': 'https://async-testi
   ...: ng.firebaseio.com/'})
Out[4]: <firebase_admin.App at 0x7fc50c00c080>

In [5]: ref = db.reference()

In [6]: ref.update({'companies': 20})

What am I doing wrong?

解决方案

You are using the Firebase Admin SDK and it looks like you are initializing with the credentials for a service account. In this case, no security rules are applied, I think not even validation rules.

If there is a reason you must you the Admin SDK and want validation rules to be performed, authenticate with limited priveleges:

As a best practice, a service should have access to only the resources it needs. To get more fine-grained control over the resources a Firebase app instance can access, use a unique identifier in your Security Rules to represent your service. Then set up appropriate rules which grant your service access to the resources it needs.

这篇关于Firebase规则允许在不应该写入的情况下进行写入的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！