Firebase 和用户个人资料“安全”
[英]Firebase & User Profile "Security"
问题描述
I am currently tackling an issue within my code, which somewhat relates to security.
我目前正在解决我的代码中的一个问题,该问题与安全性有关。 Not in the sense of payment or personal information, but more so just the "ownership" of someones profile.不是在付款或个人信息的意义上,而是更多的是某人个人资料的“所有权”。
Currently, a users basic information (name, email, bio, etc) is stored on Firebase, and all information is displayed publicly on their profile.目前,用户的基本信息(姓名、电子邮件、生物等)存储在 Firebase 上,所有信息都公开显示在他们的个人资料中。
However, to decide whether the current owner logged in using Firebase Auth is the owner of the profile they are currently on, I run a basic if function.但是,要确定使用 Firebase Auth 登录的当前所有者是否是他们当前所在配置文件的所有者,我运行了一个基本的if函数。
if(this.userInfo.user_slug == this.$route.params.id && this.user)
then I set "can edit" to true.然后我将“可以编辑”设置为true。 However, this feels... weak.然而,这感觉……很弱。 Can someone just hop in, toggle that to true and get access to the ability to edit the profiles information, even if not the owner?有人可以跳进去,将其切换为 true 并获得编辑个人资料信息的权限,即使不是所有者吗? And, if so what is the best/simplest way to make sure that the only person who can edit the profile is the one who is logged in and matchs it.而且,如果是这样,确保唯一可以编辑个人资料的人是登录并匹配个人资料的人,最好/最简单的方法是什么。
Thanks!谢谢!
1 个解决方案
解决方案1
1 2020-02-17 14:27:31
Currently, a users basic information (name, email, bio, etc) is stored on Firebase, and all information is displayed publicly on their profile.
When using the Firebase Authentication client-side SDK, a user is only allowed to access and update their own profile information.使用 Firebase 身份验证客户端 SDK 时,用户只能访问和更新自己的个人资料信息。 Through these SDKs there is no way for them to read/write other user's information.通过这些 SDK,他们无法读取/写入其他用户的信息。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.