I have rules set up that ensure a foreign key like constraint: when I put data at a certain path, the key is validated to exist at another node.
Rule snippet:
"app": {
"freebies": {
"$provider_id": {
".validate": "newData.parent().parent().parent().child('app').child('providers').child($provider_id).val() != null"
}
}
}
If I run a simulation with these params
Write to /app/freebies
width data: {"totally_fake": 1}
This fails, which is CORRECT.
On the other hand, if I just go to the online editor and add a node to the same location with the same data, it writes the DB without errors.
My question is: does the online editor bypass the security rules ?
See Question&Answers more detail:
os 与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…