堆栈内存溢出
  简体   繁体   English

Firebase 安全规则混乱

[英]Firebase security rules confusion

 原文  2020-03-28 13:03:14       firebase/ flutter/ firebase-authentication/ firebase-security

问题描述

I have a flutter app which uses pdf files and video files.我有一个使用 pdf 文件和视频文件的 flutter 应用程序。 I have put these files in firebase storage and I put the url of these files in database collections to use them in my app.我已将这些文件放在 firebase 存储中,并将这些文件的 url 放在数据库集合中以在我的应用程序中使用它们。 I do not want any email and password authentication on my app.我不想在我的应用程序上进行任何电子邮件和密码身份验证。 Are my pdf and video files secure?我的 pdf 和视频文件安全吗? Can anybody access them or obtain them?任何人都可以访问它们或获取它们吗? This is my rules for database:这是我的数据库规则:

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow read, write;
    }
  }
}

This is my rules for firebase storage :这是我的 firebase 存储规则:

service firebase.storage {
  match /b/{bucket}/o {
    match /{allPaths=**} {
      allow read, write;
    }
  }
}

2 个解决方案

解决方案1
 2 已采纳  2020-03-28 13:13:29

Your rules allows anybody to read, modify or delete your files, so not, your files are not safe at all.您的规则允许任何人读取、修改或删除您的文件,因此您的文件根本不安全。 If you want your files to be safe, you must consider implement some kind of authentication and set the appropriate rules to only you or certain group of users be able to access your files.如果您希望您的文件安全,您必须考虑实施某种身份验证并设置适当的规则,以便只有您或某些用户组才能访问您的文件。

You can read more about setting rules in the Firebase documentation .您可以在Firebase 文档 中阅读有关设置规则的更多信息。

解决方案2
 2  2020-03-28 14:57:52

If you don't want to ask your users to enter credentials, but still want a modicum of security, consider using Firebase's anonymous authentication provider.如果您不想让用户输入凭据,但仍需要一点安全性,请考虑使用 Firebase 的匿名身份验证提供程序。 From the documentation:从文档:

You can use Firebase Authentication to create and use temporary anonymous accounts to authenticate with Firebase.您可以使用 Firebase 身份验证来创建和使用临时匿名帐户向 Firebase 进行身份验证。 These temporary anonymous accounts can be used to allow users who haven't yet signed up to your app to work with data protected by security rules.这些临时匿名帐户可用于允许尚未注册您的应用程序的用户使用受安全规则保护的数据。 If an anonymous user decides to sign up to your app, you can link their sign-in credentials to the anonymous account so that they can continue to work with their protected data in future sessions.如果匿名用户决定注册您的应用程序,您可以 将他们的登录凭据链接到匿名帐户,以便他们可以在以后的会话中继续使用受保护的数据。

Of course if you don't want to associate your files or data with a specific user, then anonymous auth is also pretty meaningless.当然,如果您不想将您的文件或数据与特定用户相关联,那么匿名身份验证也毫无意义。 But at that point you're indeed looking to allow pure unauthenticated public access.但在这一点上,您确实希望允许纯粹的未经身份验证的公共访问。 This may be a fine option too, as long as you realize that your project will be charged for any reads/writes by any users.这也可能是一个不错的选择,只要您意识到您的项目将对任何用户的任何读/写收费。

If you want any users, without identifying them or providing credentials, to be able to read the data/files, but not write any data/files of their own, you're looking for read-only rules:如果您希望任何用户在不识别他们或提供凭据的情况下能够读取数据/文件,但不能写入他们自己的任何数据/文件,那么您正在寻找只读规则:

allow read; if true;
allow write: if false;

Or shorter, but less explicit to read:或者更短,但阅读起来不那么明确:

allow read

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 带有Firebase规则的addChildEventListener - addChildEventListener with firebase rules Confusion Firebase规则安全警告 - Firebase rules security warning Firebase安全规则不起作用 - The Firebase security rules not works Firebase安全规则不起作用 - Firebase security rules not works Firebase 层次结构安全规则 - Firebase hierarchy security rules Firebase 安全规则 - Unity - Firebase Security Rules - Unity Firebase 安全规则 (.read) - Firebase security rules (.read) Firebase中的安全规则 - Security rules in Firebase Firebase数据库安全规则 - Firebase database security rules 使用通配符的Firebase安全规则 - Firebase security rules with wildcards
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM