为什么我仍然可以读取资源,即使它受到使用firestore数据库的`Rule`的保护

时间:2018-06-15 06:56:14

标签: firebase spring-boot firebase-realtime-database firebase-authentication google-cloud-firestore

这是我的数据库集合(用户,资源)和文档(资源,uid)

enter image description here enter image description here 在我的authenticaiton我有2个人

  • other_ud
  • QmYOQFXavvP0IQYv1nZ6XaedxJn1 +users +QmYOQFXavvP0IQYv1nZ6XaedxJn1 <-- copied from above authentication uid -isAdmin: true +resources +resource -first: A -last: B -born: 2000

我正在使用spring-boot,这是我的控制器方法:

@RequestMapping(method = RequestMethod.GET, value = "/readone")
@ResponseBody
public  ResponseEntity<Object> readOneDocInOneCollection() throws JsonParseException, IOException, ExecutionException, InterruptedException {
    Firestore db = FirestoreClient.getFirestore();
    DocumentReference docRef = db.collection("resources").document("resource");
    // asynchronously retrieve the document
    ApiFuture<DocumentSnapshot> future = docRef.get();
    // block on response
    DocumentSnapshot document = future.get();
    User user = null;
    user = document.toObject(User.class);
    String serialized = new ObjectMapper().writeValueAsString(user);
    return new ResponseEntity<Object>(serialized, HttpStatus.OK);

}

TO TEST

enter image description here 我在chrome上使用postman,我点击http://localhost:8080/auth/user/readone 随附id_token附加标题X-Firebase-Auth={my_token} 我仍然得到结果:

{"id":"1","first":"A","last":"B","born":2000,"middle":null}

以下是Rule

Firestore 
service cloud.firestore {
    match /databases/{database}/documents {
      match /resources/{resource} {

        function isAdmin() {
            return get(/databases/$(database)/documents/users/$(request.auth.uid)).isAdmin ||
            get(/databases/$(database)/documents/users/$(request.auth.uid)).data.isAdmin;
        }

        allow read: if isAdmin();
        allow create, update, delete: if isAdmin();
    }
  }
}

0 个答案:

没有答案
相关问题
最新问题