Any logged in user can read firebase
756 views
Skip to first unread message
Fatima Tarer
Mar 4, 2022, 12:20:15 AM3/4/22
to Firebase Google Group
My Mobile application is a public ecommerce app and any user can read the data which is coming from firebase. I am receiving mails again and again about insecure rules.
My Firebase Project name is
1-Ethnic E-Comm Flutter App
Database
ethnic-e-comm-flutter-app
-------------------------------------------------
2-Outfitter E-Comm Flutter App
Database
outfitter-e-comm-flutter-app
Kindly stop sending this mail on these projects.
Frank van Puffelen
Mar 4, 2022, 12:47:31 PM3/4/22
to Firebase Google Group
You can disable the alerts yourself by clicking the little bell icon in the top-right of your Firebase console, which takes you to the alerts settings.
I *do* recommend however using the principle of least privilege towards your security rules, and ensuring that they allow nothing more than your code does. With this approach your rules should only allow an operation at the root, if you code also performs that exact operation at the root of the database.
Rodrigo de França Miss Nairnei
Mar 4, 2022, 1:28:21 PM3/4/22
to Firebase Google Group
You need add firebase rules in your database,
Since they are in default (or test mode), any user can have access to all the data, the ideal is to create specific access rules for logged in users and also define who can have access to the information.
see this: https://firebase.google.com/docs/rules
Att. Rodrigo Nairnei
Since they are in default (or test mode), any user can have access to all the data, the ideal is to create specific access rules for logged in users and also define who can have access to the information.
see this: https://firebase.google.com/docs/rules
Att. Rodrigo Nairnei
Fatima Tarer
Mar 5, 2022, 11:11:43 AM3/5/22
to Firebase Google Group
I have defined the rule for writing database and only one authenticated user can write my database. My app is a public app and all the users can read it without any authentication. I am receiving mails only on me read rule for database. The mail is any logged-in user can read your entire database
Tracy Hall
Mar 5, 2022, 3:00:34 PM3/5/22
to Firebase Google Group
"logged-in user"
allow read: if request.auth.uid;
Rachel Myers
Mar 7, 2022, 11:40:48 AM3/7/22
to fireba...@googlegroups.com
There are two ways to stop the emails: you can acknowledge the warning in the console, or you can update the rules to solve the problem it's alerting about.
It sounds like you have `read: if request.auth != null;` in your rules. Even though you probably want some things to be public, like the product catalog, it's important to make sure that anything that is tied to an individual is locked down.
Best,
Rachel
--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/5241861c-21e6-4cce-ba68-72defb6bc69an%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages