Some Firebase Security Rules Apply to the Administrator in Cloud Functions

Question

Some Firebase Security Rules Apply to the Administrator in Cloud Functions

The cloud function gets permission to use firebase when updating or deleting.

The service account is initialized with the credentials from the file to use auth.createCustomToken, which is currently not available for the default account

admin = require('firebase-admin');
functions = require('firebase-functions');
credential = admin.credential.cert(require('./credentials.json'));
admin.initializeApp({credential: credential, databaseURL: functions.config().firebase.databaseURL});

Security rules that prevent updates:

"downloads": {
  "$key": {
    ".write": "data.val() == null"
  }
}

The user inserts the data from pushinto /downloads, then Cloud Function tries to update and subsequently delete. Both of these operations fail, even though administrator accounts supposedly circumvent all security rules, including verification.

FIREBASE WARNING: update at /downloads/-Kexz33ljYjKblF_ZgUo failed: permission_denied
FIREBASE WARNING: set at /downloads/-Kexz33ljYjKblF_ZgUo failed: permission_denied

The first error (update) disappears if I change the rules:

"downloads": {
  "$key": {
    ".write": "newData.child('uid').val() == auth.uid"
  }
}

UPDATE

, event.data.ref

ref = admin.database().ref(event.data.ref.path.toString())

+4

javascript firebase firebase-security google-cloud-functions firebase-admin

redka 11 . '17 15:49

1

jwngr · Accepted Answer · 2017-03-12T17:55:21+0000

event.data, Cloud Function onWrite(), : , , (event.data.ref) , , (event.data.adminRef). , , , , event.data.ref. event.data.adminRef .

Some Firebase Security Rules Apply to the Administrator in Cloud Functions

UPDATE

More articles: