英文:
Do I need to define firebase security rules for my app which stores all stickers image in database and its url in cloud firestore?
问题
我将代码部分排除,只提供翻译的内容:
我将图像存储在 Firebase 存储中,并将它们的 URL 和下载计数分别存储在 Cloud Firestore 中的 "imageurl" 和 "downloadCount" 字段下。我从 Firebase 中获取所有图像,并使它们在我的应用程序中可供下载。每当用户下载一张图像时,我会将其下载计数增加一次。为此,我必须将我的 Cloud Firestore 的读取和写入规则设置为 "if true"。我没有对任何用户进行身份验证。我已将我的Firebase 存储设置为 "if true" 读取和 "if false" 写入。我对我的情况要设置哪些规则感到困惑,因为我的应用程序不需要身份验证,也没有上传任何数据或访问其他用户的数据的方式,它只是一个从 Firebase 获取图像并显示供下载的简单图像下载应用程序。有人可以指导我,我的应用程序的 Firebase 规则是否存在任何问题,或者对我的用例来说是否可以。
英文:
I am storing images in firebase storage and its url and download count in cloud firestore under imageurl and downloadCount field respectively. I am fetching all the images from firebase and making them available for download inside my app. Everytime an user downloads an image I am increasing its download count by one. For this I have to set my cloud firestore read and write rules to if true. I am not authenticating any user. I have set my firebase storage as read to if true and write to if false. I am confused what rules to set in my case as my app requires no authentication neither there is any way to upload any data or acess data of other user, it's just a simple image downloading app which fetch images from firebase and display it for download. Can someone guide me if there is any issue with the firebase rules that I have set for my app or its okay for my use case?
答案1
得分: 1
如果安全性对您很重要,请遵循以下步骤:
为您的应用添加Firebase规则很重要。如果您不希望应用程序中有任何身份验证(因为这将节省用户获取这些图像所需的时间),最好至少拥有Firebase的匿名身份验证服务,并在后台对每个用户进行身份验证。在这里,您将找到匿名身份验证文档:https://firebase.google.com/docs/auth。
要了解如何设置安全规则,请查看此中等博客,它清楚地解释了如何设置规则以保护我们的数据。对于Firestore,请点击这里。
拥有访问您数据库URL的任何用户都可以发送不必要的请求,可能会导致阻止或对您的帐户造成成本。
因此,设置规则不是强制性的,它取决于您的需求。 
英文:
If security is an important prospect for you then please follow these :
Adding Firebase rules for your app is important. If you don't want any authentication in your app (as it will save some time of user to get those image) better to have at-least the anonymous authentication service of Firebase and authenticate each user in the background. Here you will find the Anonymous Auth doc : https://firebase.google.com/docs/auth .
To know how to set up security rules follow this medium blog, It explains clearly about how we can set-up rules in order to protect our data. For Firestore click here
Any user who has the access to your database URL can send unnecessary requests and may cause blocking or costing to your account.
So its not mandatory to set-up rules, It depends upon your requirements.
答案2
得分: 0
答案是,我的应用程序不涉及授权,也不允许用户上传到数据库/文件存储或访问除图像、下载计数和图像名称之外的任何其他信息,因此我不需要定义任何严格的 Firebase 安全规则。由于只有通过下载图像来增加下载计数,最佳做法是定义规则,只允许通过将写权限更新为以下内容来增加下载计数字段:
match/{document=**} {
allow write: if request.resource.data.keys().hasOnly(['downloadCount']);
}
上述代码确保除了用户下载图像时的下载计数之外,文档的其他字段都不可写。
如果您的应用程序需要任何形式的授权、上传或编辑到您的数据库,则必须设置严格的规则,以确保您和用户的数据安全。
英文:
The answer is, My app does not involve authorization or allow any user to upload to the database/firestore or allow access to any other information other than images,downloadCount and Image name, I dont need to define any strict security rules to my firebase. Since only the download count is increased by downloading the image,the best practice is to define rule that will allow only the increment of downloadCount field by updating the write permission to the following:
match/{document=**} {
allow write: if request.resource.data.keys().hasOnly(['downloadCount']);
}
The above code ensures no other field of document is writable except for the downloadCount when user downloads the images.
If your app requires any form of authorization or uploading or editing into your database then you must set the strict rules to make yours as well as users data safe.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论