堆栈内存溢出
  简体   繁体   English

如何保护我的 Firestore 数据库免受不必要的访问?

[英]How can I secure my Firestore database agains unwanted access?

 原文  2021-03-16 14:19:36       javascript/ firebase/ google-cloud-firestore/ firebase-security

问题描述

I am using Firebase Firestore to store a list of transactions in a collection called transactions .我正在使用 Firebase Firestore 将交易列表存储在名为transactions的集合中。

I use react to get the transaction from the collection, using a URL with the id of the transaction document: http://myurl.com/h1kj54h2jk35h我使用 react 从集合中获取交易,使用 URL 和交易文档的 id: http://myurl.com/h1kj54h2jk35h

const id = match.params.id;
firebase.firestore().collection('transactions').doc(id).get()

The same way I create a new doc.与我创建新文档的方式相同。 I have not firebase authentication.我没有firebase认证。

How can I secure my Firestore rules:如何保护我的 Firestore 规则:

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /transactions/{id} {
      allow read, write;
    }
  }
}

If I don't allow write, I can't create new transactions.如果我不允许写入,则无法创建新事务。 If I don't allow read, I can't read the transaction, but I don't want to allow the read of all transactions.如果我不允许读取,则无法读取事务,但我不想允许读取所有事务。 Only the once when the id from the URL is valid.只有一次来自 URL 的 id 有效。

Thus, I am looking for a way to protect my database agains unwanted document creations and unwanted document reads.因此,我正在寻找一种方法来保护我的数据库免受不需要的文档创建和不需要的文档读取。

1 个解决方案

解决方案1
 2 已采纳  2021-03-16 14:40:03

I think you're looking for what are called granular operations .我认为您正在寻找所谓的粒度操作 From that link:从那个链接:

In some situations, it's useful to break down read and write into more granular operations.在某些情况下,将读写分解为更细粒度的操作很有用。 For example, your app may want to enforce different conditions on document creation than on document deletion.例如,您的应用程序可能希望对文档创建和删除文档强制执行不同的条件。 Or you may want to allow single document reads but deny large queries.或者您可能希望允许读取单个文档但拒绝大型查询。

A read rule can be broken into get and list , while a write rule can be broken into create , update , and delete . read规则可以分为getlist ,而write规则可以分为createupdatedelete

So if you want to only allow creation of new documents, and getting of document for which a user must know the ID, that'd be:因此,如果您只想允许创建新文档并获取用户必须知道 ID 的文档,那就是:

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /transactions/{id} {
      allow create, get;
    }
  }
}

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何修复我的 firestore 数据库设置错误? - How can I fix my firestore database setup error? 如何访问 asyncData 中的 Firestore? - How can I access the firestore in asyncData? 如何提交我的表单,提交后我想将文档更新到 Firestore 数据库 - how can I submit my form and after submit i want to update doc to firestore database 我如何将我的 firebase 实时数据库 function 转换为 firestore function - How can i convert my firebase realtime database function to firestore function 我如何在 firestore 上查询我的 subCollection? - How i can query my subCollection on firestore? 如何使用 Firestore 读取我的 function? - How can I read my function with firestore? 如何从 Firestore 订购我的数据库结果? - How do I order my database results from Firestore? 如何保护我的网站免受注入(Cookie编辑) - How can I secure my website from injections (Cookie editing) 如何等待Firestore数据库请求完成? - How can I wait for a Firestore database request to complete? 如何确保对Devise / CanCan / JavaScript的使用? - How can I secure my use of Devise/CanCan/JavaScript?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM