Firebase数据库在线编辑器是否忽略安全规则? [英] does the firebase database online editor ignore security rules
问题描述
规则片段:
app:{
freebies:{
$ provider_id:{
.validate:newData.parent()。parent()。parent()。child('app')。child('提供者')。child($ provider_id).val()!= null
}
如果我用这些参数运行模拟
$ b $写入 / app / freebies
width data: {totally_fake:1}
这失败了,这是正确的。另一方面,如果我只是去在线编辑器,并用相同的数据添加一个节点到相同的位置,它写无误的数据库即可。
我的问题是:在线编辑器是否绕过了安全规则?
是的,它的确如此。 Firebase控制台以及Admin SDK绕过了安全规则,并具有对实时数据库的管理访问权。
I have rules set up that ensure a foreign key like constraint: when I put data at a certain path, the key is validated to exist at another node.
Rule snippet:
"app": {
"freebies": {
"$provider_id": {
".validate": "newData.parent().parent().parent().child('app').child('providers').child($provider_id).val() != null"
}
}
}
If I run a simulation with these params
Write to /app/freebies
width data: {"totally_fake": 1}
This fails, which is CORRECT.
On the other hand, if I just go to the online editor and add a node to the same location with the same data, it writes the DB without errors.
My question is: does the online editor bypass the security rules ?
Yes, it does. The Firebase console, as well as the Admin SDKs, bypass security rules and have "administrative" access to the Realtime Database.
这篇关于Firebase数据库在线编辑器是否忽略安全规则?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!