Firebase规则安全警告

Question

I'm getting the following message in Firebase:

The Cloud Firestore "(default)" database of your project contains rules that are not secure.

But I have the rules as the documentation says and I don't see any other option. What I want is that anyone can read, but just logged in users can edit content.

These are my rules:

service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow read: if true;
      allow read, write: if request.auth.uid != null;
    }
  }
}

Answer 1

With these rules any authentication user can write all documents in your database, including overwriting documents that were created by other. You're also allowing everyone (no matter if they're authenticated) to read all data in the database, which seem much broader than most apps need. While these are close to some of the default rules you can start with, it is typically not enough for a production app, which is why you receive the warning.

You'll typically want to further lock down access to the database. For example, you might want to ensure that users can only write documents that contain their own UID in a specific field. That way you'll always know who created a document, and can use that to control access to that document.

If you are certain this is the minimum data access that your app requires to function, you can disable the warning emails in the Firebase console . But as said before, in my experience this type of access seems much broader than what I typically see in well functioning, and well protected, apps.