[英]How can I deny the admin from calling Firebase functions?
I have two firebase function triggers: 我有两个firebase函数触发器:
When the owner onUpdate is triggered it makes an operation and update the user document. 当触发所有者onUpdate时,它会进行操作并更新用户文档。
User onUpdate is called by the last operation, not from client. 用户onUpdate由最后一个操作调用,而不是从客户端调用。
Is there a way to deny the admin or the server from calling a function? 有没有办法拒绝管理员或服务器调用函数?
I search on Firebase documentation and i discover that if I use : 我搜索Firebase文档 ,我发现如果我使用:
console.log(context.auth.uid);
it will show up the user ID that makes the change, but I got this error : 它将显示进行更改的用户ID,但是我收到此错误:
Cannot read property 'uid' of undefined
So I tried to print the context Object and this is the result : 所以我尝试打印上下文对象,这是结果:
context : { eventId: '7eac4df1-85bd-47dd-b83a-827b63597e10-0',
eventType: 'google.firestore.document.update',
notSupported: {},
params:
{ serviceId: 'bY0RjOSgygnXuojmDyng',
userId: 'Poz0UKIShnSUJNPCrug3zvfiyKn1' },
resource:
{ service: 'firestore.googleapis.com',
name: 'projects/*Project name*/databases/(default)/documents/users/Poz0UKIShnSUJNPCrug3zvfiyKn1/services/bY0RjOSgygnXuojmDyng' },
timestamp: '2019-06-14T06:33:48.525983Z' }
So, my answer is : is there a function that returns true/false if a call is made from the server or client app? 所以,我的答案是: 如果从服务器或客户端应用程序进行调用,是否有一个返回true / false的函数?
I use a google Auth and when I call the function I'm authenticated 我使用google Auth,当我调用该功能时,我已通过身份验证
EDIT 编辑
UserCode Android UserCode Android
User delete an order. 用户删除订单。 (For GDPR policy I can't delete it but I need to make it invisible with the attribute canceled) (对于GDPR策略,我无法删除它,但我需要在取消属性时使其不可见)
FirebaseFirestore db = FirebaseFirestore.getInstance();
db.collection("users").document(User.getUserId())
.collection("orders").document(orderId)
.update("canceled", true);
UserCode Firebase Function UserCode Firebase功能
exports.updateLocalOrder = functions.firestore
.document('users/{userId}/orders/{orderId}')
.onUpdate((change, context) => {
const order = change.after.data();
const orderId = ontext.params.orderId;
const ownerId = order.ownerId;
if (order.canceled){
admin.firestore().collection("owners")
.doc(ownerId).collection("orders")
.doc(orderId).update("canceled", true);
}
...
});
OwnerCode Android OwnerCode Android
Owner delete an order. 所有者删除订单。 (For GDPR policy I can't delete it but I need to make it invisible with the attribute canceled) (对于GDPR策略,我无法删除它,但我需要在取消属性时使其不可见)
FirebaseFirestore db = FirebaseFirestore.getInstance();
db.collection("owners").document(Owner.getOwnerId())
.collection("orders").document(orderId)
.update("canceled", true);
OwnerCode Firebase Function OwnerCode Firebase功能
exports.updateUserOrder = functions.firestore
.document('owners/{ownerId}/orders/{orderId}')
.onUpdate((change, context) => {
const order = change.after.data();
const orderId = ontext.params.orderId;
const userId = order.userId;
if (order.canceled){
admin.firestore().collection("users")
.doc(userId).collection("orders")
.doc(orderId).update("canceled", true);
}
...
});
So every time I delete an order there will be a call to Functions from the client (Android app) and after that there will be an infinite call from server. 因此,每次删除订单时,都会从客户端(Android应用程序)调用函数,之后将从服务器进行无限调用。
IMPORTANT!!! 重要!!!
I don't want to make another collection called "orders". 我不想制作另一个名为“订单”的集合。 So the problem is not how I can manage my apps or how can I manage orders between user and owner because I only need to know how can I distinguish calls. 所以问题不在于我如何管理我的应用程序或如何在用户和所有者之间管理订单,因为我只需要知道如何区分呼叫。
There isn't a real answer to this problem, but I had solved it. 这个问题没有真正的答案,但我已经解决了。
When I update a document, if task is successful, I make an HTTP call to Firebase Function and update also the owner document. 当我更新文档时,如果任务成功,我会对Firebase功能进行HTTP调用并更新所有者文档。 I converted all Firestore triggers into OnCall functions so there is no recursion. 我将所有Firestore触发器转换为OnCall函数,因此没有递归。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.