Firebase"许可被拒绝"但还在写吗?

时间:2017-03-30 03:40:52

标签: android firebase firebase-realtime-database firebase-security

我的Firebase应用程序有以下规则集:

{
  "rules": {
    "EVENT_TABLE":{
            "$id":{
        //Explicitly allow for reading of the EVENT_TABLE item data, however specify sub-pieces to be unreadable.
        ".read":"auth != null",
        ".write":"auth != null",
        "allowed_users":{
          "$user_id":{

          }
                },
        "requested_users":{
           ".read":"auth != null",
           ".write":"auth != null"
        }
      }
    },
    "EVENT_TABLE_GEO_MAP":{
      ".read": "auth != null",
      ".write": "auth != null"
    },
    "EVENT_CONFIDENTIALS_TABLE":{
      ".write": "auth != null",
      "$id":{
        ".read": "root.child('EVENT_TABLE/'+$id+'/allowed_users/'+auth.uid).exists()"
      }
    }
  }
}

每当用户尝试将自己添加到" requested_users"在EVENT_TABLE对象下映射,它表示"权限被拒绝"但仍然可以成功写入用户的ID。

以下是示例数据:

{
  "b216d166-eff2-4947-898c-cef75e32605e" : {
    "allowed_users" : {
      "gEnCx9TIFNNOjExbzEtdIBwB2t62" : 1
    },
    "body" : "ahah",
    "end" : 1490842878378,
    "id" : "b216d166-eff2-4947-898c-cef75e32605e",
    "latitude" : 44.783728,
    "longitude" : -93.2468524,
    "name" : "New Event",
    "owner_id" : "gEnCx9TIFNNOjExbzEtdIBwB2t62",
    "requested_users" : {
      "0G4OMRWeiNScz5KnpkOaDQw9kd02" : 1
    },
    "start" : 1490842876140
  }
}

用户请求将包含其ID的新地图写入“被请求用户”后面。字段。

此外,这是我在Android中用来调用write的函数:

  public static void requestToJoinEvent(Event eventRequested, final Activity activityCalling){

        user = FirebaseAuth.getInstance().getCurrentUser();
        if(user!=null){
            retrieveDatabaseReference(EVENT_TABLE);
            eventRequested.getRequested_users().put(user.getUid(),1);
            ref.child(eventRequested.getId()).child("requested_users").setValue(eventRequested.getRequested_users());
            ref.addValueEventListener(new ValueEventListener() {
                @Override
                public void onDataChange(DataSnapshot dataSnapshot) {
                    operationSuccess=true;
                    displayRequestSentMessage(activityCalling);
                }

                @Override
                public void onCancelled(DatabaseError databaseError) {
                    //This returns with a Permission Denied error.
                }
            });
        }else{
            throw new RuntimeException("User is missing!");
        }
    }

为什么它会抛出Permission Denied错误并仍然成功写入?

0 个答案:

没有答案