Firebase 实时数据库规则的安全性
[英]Security of firebase realtime database rules
问题描述
In my application I use custom claims to assign roles to users.
在我的应用程序中,我使用自定义声明为用户分配角色。 The admin can change the roles of people with a snazzy toggle button (using a cloud function), so (s)he needs to see a list of all of the users... But on the other hand when a user registers they need to be added to the users database collection.管理员可以使用时髦的切换按钮(使用云功能)更改人员的角色,因此(她)需要查看所有用户的列表......但另一方面,当用户注册时,他们需要添加到用户数据库集合中。 This collection isn't used to authorize anything obviously, but it's just so that the admin can change the roles for the users in that collection.这个集合显然不用于授权任何东西,但它只是为了管理员可以更改该集合中用户的角色。 So the admin needs to be able to read the table and everyone needs to be able to write in the collection.... So my rules in this regard look like this:所以管理员需要能够读取表格,每个人都需要能够在集合中写入......所以我在这方面的规则如下所示:
{
"rules": {
"users": {
".read": "auth.token.isAdmin === true",
".write": true
},
I have checked in the redux store and it seems to work.我已经检查了 redux 商店,它似乎有效。 I call the action creator fetching the users in a component and access it when I'm a regular user and I see that the users node in redux store remains empty... When I'm logged in as admin and go to the component I see that the users node is filled... So it seems to work, but I want to be sure this is a safe way of working, because having everyone writing to the table just feels wrong :-) But like I said, the table itself isn't used to authorize anything, so perhaps it's ok.....我调用 action creator 获取组件中的用户并在我是普通用户时访问它,我看到 redux 存储中的用户节点仍然是空的......当我以管理员身份登录并转到组件时,我看到用户节点被填满了......所以它似乎工作,但我想确保这是一种安全的工作方式,因为让每个人都写到桌子上感觉不对:-)但是就像我说的,桌子本身不用于授权任何东西,所以也许没关系.....
Thanks for any opinions on this :-)感谢您对此的任何意见:-)
With kind regards, David亲切的问候,大卫
1 个解决方案
解决方案1
0 已采纳 2020-09-10 13:28:18
What you have is a fairly common pattern: everyone can write a request, but only authorized user can read the requests.您拥有的是一个相当常见的模式:每个人都可以编写请求,但只有授权用户才能读取请求。
There is no inherent security risk of leaking information in this pattern, as long as you ensure only the authorized user had isAdmin == true .这种模式不存在泄露信息的固有安全风险,只要您确保只有授权用户拥有isAdmin == true 。
But right now any user can write whatever they want to the /users node.但是现在任何用户都可以向/users节点写入任何他们想要的内容。 Which also means that any user can delete all existing data with a simple: firebase.database().ref("users").remove() call.这也意味着任何用户都可以通过一个简单的: firebase.database().ref("users").remove()调用删除所有现有数据。 That is probably something you'll want to protect against.这可能是您想要防范的。
How to do that depends on how and what the users write to /users .如何做到这一点取决于用户写入/users方式和内容。 For example, if they write their own user profile under their and you're using their UID as the key, you could ensure that users can only write their own profile with:例如,如果他们在他们的下面编写自己的用户配置文件,而您使用他们的 UID 作为密钥,则可以确保用户只能使用以下内容编写自己的配置文件:
{
"rules": {
"users": {
".read": "auth.token.isAdmin === true",
"$uid": {
".write": "auth.uid === $uid"
}
}
}
}
As said, this depends on the actual data you write though, so you'll want to check the Firebase documentation on securing data access and implement that for your use-case.如前所述,这取决于您编写的实际数据,因此您需要查看有关保护数据访问的 Firebase 文档并为您的用例实施该文档。
One more thing I'd consider is to restrict what users can write to this node in the database.我会考虑一件事是限制哪些用户可以写入到数据库中的这个节点。 For example you could use a .validate rule to restrict the values they can write, or even a .write rule to ensure the user only writes their own data.例如,您可以使用.validate规则来限制他们可以写入的值,甚至可以使用.write规则来确保用户只写入他们自己的数据。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.