Firestore规则与函数完全不起作用

huangapple go评论63阅读模式
英文:

Firestore Rules Not Working At All with Functions

问题

service cloud.firestore {
  match /databases/{database}/documents {
    match /pool/{poolId} {
      allow read: if request.auth != null;
      allow write: if request.auth != null && get(/databases/$(database)/documents/user/$(request.auth.uid)).data.admin == true;
    }
  }
}
英文:
service cloud.firestore {
  match /databases/{database}/documents {
    match /pool/{poolId} {
      allow read: if request.auth != null;
      allow write: if request.auth != null && get(/databases/$(database)/documents/user/$(request.auth.uid)).data.admin == true;
    }
  }
}

I wrote the previous rules by following https://firebase.google.com/docs/firestore/security/rules-conditions#access_other_documents.
I expected that, for a user to add a new document into the collection pool, a document of the ID request.auth.uid should exist in the collection user and have an entry admin: true .

But every request from Functions

    pool.post('/add', async (req, res) => {
        const added = await db.collection('pool').add({
            ...
        }); 
    });

is allowed to add a new document to the collection pool.

Even the following rules

service cloud.firestore {
  match /databases/{database}/documents {
    match /pool/{poolId} {
      allow read, write: if false;
    }
  }
}

do not disallow any requests from Functions...

What's the problem of the rules? Or, is there something in Functions which makes the rules not working? Or, in my project configuration...?

答案1

得分: 3

Cloud Functions for Firebase 使用 Node.js Admin SDK,它完全绕过安全规则,因为它被视为一个“特权环境”。

在 Firestore 文档 中有关于这方面的注意事项:

注意:服务器客户端库绕过了所有 Cloud Firestore 安全规则。

如果你希望将你的 HTTPS 云函数限制为你应用的 Firebase 用户(并通过解码的 ID 令牌标识调用它的用户),你可以按照 Firebase 官方云函数示例 Authorized HTTPS Endpoint 进行操作。

英文:

Cloud Functions for Firebase use the Node.js Admin SDK which totally bypasses the security rules since it is considered as a "privileged environment".

You'll find a note on this aspect in the Firestore doc:

> Note: The server client libraries bypass all Cloud Firestore Security
> Rules


If you want to restrict your HTTPS Cloud Function to only the Firebase users of your app (and identify which user is calling it through the decoded ID token) you can follow the following Firebase official Cloud Function sample: Authorized HTTPS Endpoint.

huangapple
  • 本文由 发表于 2023年2月14日 00:18:12
  • 转载请务必保留本文链接:https://go.coder-hub.com/75438520.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定