Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
4.0k views
in Technique[技术] by (71.8m points)

javascript - Firebase: Does the bucket owner have access to all data?

I am making a To-do Android Application using the Firebase backend. For that, I can use a simple access rule which allows read and write access only when uid == auth.uid. However, as the owner of the bucket, I am currently able to see all the to-dos that any user creates. Clearly, this is unexpected behavior. How do I restrict my access to certain data in my own bucket? Or is there any other alternative?

EDIT: More details. The current security rule is as follows

rules_version = '2';
service firebase.storage {
  match /b/{bucket}/o {
    match /{allPaths=**} {
      allow read, write: if uid == auth.uid;
    }
  }
}

I am working with react-native and following rnfirebase and used Google Sign-in by this SDK wrapper here. The code to upload an image to Firebase storage follows the tutorial here. Here is the snippet in react-native.

const reference = storage().ref('black-t-shirt-sm.png');

  return (
    <View>
      <Button
        onPress={async () => {
          // path to existing file on filesystem
          const pathToFile = `${utils.FilePath.PICTURES_DIRECTORY}/black-t-shirt-sm.png`;
          // uploads file
          await reference.putFile(pathToFile);
        }}
      />
    </View>
  );

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Answer

0 votes
by (71.8m points)

This makes no sense:

match /{allPaths=**} {
  allow read, write: if uid == auth.uid;
}

This allows access to the file if the built-in variable auth.uid matches the context variable uid. But you never define uid anywhere, so the rule always fails. In fact, this should not even save as you have a syntax error by not defining uid anywhere before you use it.

Are you saying that with these rules you have a user who is able to see all files? Can you show an example of that?


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...