问题描述
所以我想要的最后一件事是任何访问数据库的人都不应该这样做。在我的应用程序的用户创建一个帐户,其中有一个关键和我的数据库中的子(一个易于访问用户配置文件),它也使一个身份验证帐户。数据库规则规定只有经过身份验证的用户才能访问数据库。是否有可能被认证的人以某种方式访问数据库的其余部分(通过黑客攻击)?这是我使用firebase的第一个应用,我想确保用户信息将被保护。 >您的规则。如果规则是:
//这些规则需要认证
{
rules:{
.read:auth!= null,
.write:auth! = null
}
这种规则允许完整的读取写入您的应用的已通过身份验证的用户的访问权限。换句话说,经过身份验证的用户可以访问数据库中的所有数据,而不会发生任何黑客行为。
如果您设置了类似于此规则的内容:
pre $ $ $ b $$ user $$ {$ b $$ user $$ { /授予对此用户帐户的所有者的写入权限
//其uid必须与该密钥完全匹配($ user_id)
.write:$ user_id === auth.uid$ b $它允许写访问权限,它允许用户访问数据库中的数据。到这个用户帐户的所有者,但只有这个数据。
这意味着你必须设置规则,以获得您的数据中的每个节点所需的结果。 / p>
So the last thing I want is anyone accessing the database that isn't supposed to. Users on my app create an account which has a key and children in my database (an easy to acces user profile) and it also makes an auth account. The rules of the database state that only authenticated users can access the database. Is it possible for someone who is authenticated to somehow access the rest of the database (through hacking maybe)? This is my first app using firebase and I want to make sure that user information will be protected.
It depends by your rules.
If the rule is:
// These rules require authentication
{
"rules": {
".read": "auth != null",
".write": "auth != null"
}
}
This kind of rule allows full read and write access to authenticated users of your app. In other words an authenticated user can access all the data in the database without any hacking.
If you set something similar to this rule:
{
"rules": {
"users": {
"$user_id": {
// grants write access to the owner of this user account
// whose uid must exactly match the key ($user_id)
".write": "$user_id === auth.uid"
}
}
}
}
it grants write access to the owner of this user account but only of this data.
It means that you have to set the rules to obtain the wanted result for each nodes in your data.
这篇关于保持firebase数据安全的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!