【发布时间】:2018-05-05 09:18:41
【问题描述】:
我可以信任 Firestore 中传入的数据,还是我必须检查所有内容并且绝对不信任传入的数据,因为客户端可以伪造所有内容?
例如,客户端可以伪造 uid、电子邮件和显示名称吗?
firebase.firestore().collection("users").doc(state.user.uid).collection("friendRequests").doc(payload.uid).set({
uid: payload.uid,
email: payload.email,
displayName: payload.displayName
});
Firestore 规则:
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read;
}
match /users/{userId} {
allow read, update, delete: if request.auth.uid == userId;
allow create: if request.auth.uid != null;
}
match /users/{userId}/friendRequests/{friendId} {
allow create: if userId == request.auth.uid
&& friendId != request.auth.uid
&& !exists(/databases/$(database)/documents/users/$(request.auth.uid)/friends/$(friendId))
&& !exists(/databases/$(database)/documents/users/$(request.auth.uid)/friendRequests/$(friendId))
&& !exists(/databases/$(database)/documents/users/$(friendId)/friends/$(request.auth.uid))
&& !exists(/databases/$(database)/documents/users/$(friendId)/friendRequests/$(request.auth.uid));
}
}
}
规则集已经很大了,我什至都没有检查数据结构是否有效以及朋友 uid 是否存在。
【问题讨论】:
标签: google-cloud-firestore firebase-security