Firestore Firebase中的规则
我正在为Firestore数据库设置规则,但我无法理解恶意用户的含义。如果我有道路: /innction_user_item/prova/item/a23w4 ....其中a23w4 ..是uid。对于此路径,我设置以下规则:
match /junction_user_item/{multiSegment=**}/{userId}{
allow read: if request.auth != null
allow write: if request.auth != null
}
此路径的每个文档都包含“喜欢”的值(每次登录用户显示该文档时,如果您喜欢图片: 喜欢:firebase.firestore.fieldvalue.increment(1)
这个想法是,路径`/innction_user_item/prova/prova/items/'有一系列照片,任何人都可以通过编辑文档来喜欢它。
现在,登录的恶意用户可以做什么?他可以使用那条路并提高“喜欢”财产的任何文件?我不能说:
allow read, write: if request.auth != null && request.auth.uid == userId
因为该路径下的文档必须可供所有人访问。
另外,如何确保没有人可以编辑/删除路径?
/junction_user_item/PROVA
I am setting the rules for my firestore database but I can't understand the meaning of malicious user . If I have the path:/junction_user_item/PROVA/items/A23W4.... where A23W4.. is the uid . For this path I set the following rule:
match /junction_user_item/{multiSegment=**}/{userId}{
allow read: if request.auth != null
allow write: if request.auth != null
}
Each document of this path contains the value 'likes' (each time the document is displayed by any logged-in user, the value can be incremented by 1 if you like the picture:likes:firebase.firestore.FieldValue.increment(1)
The idea is that under the path `/junction_user_item/PROVA/items/' there is a collection of photos and anyone can like it by editing the document.
Now, what can a malicious user who has logged in do? Can he use that path and increase the 'likes' property by as much as he wants of any document ? I can't put the rule :
allow read, write: if request.auth != null && request.auth.uid == userId
because the documents under that path must be accessible to everyone.
Also how to make sure no one can edit/delete the path?
/junction_user_item/PROVA
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论