FixVibe

// docs / baas security / firebase if-true explainer

An bayyana Firebase allow read, write: if true: abin da yake yi da yadda ake gyara shi

<code>allow read, write: if true;</code> shine kuskuren saiti na Firebase mafi yawa a samarwa. Tsohuwar yanayin-gwaji ce wacce Firebase Console ke ba da shawara lokacin da kuka ƙirƙira sabuwar bayanai, dokar da kayan aikin coding na AI suka sake samar daga takardu, da kuma dokar da ke buɗe duka bayanan Firestore ɗinku ga kowa a intanet. Wannan labarin yana bayyana syntax daidai, yana nuna abin da mai kai hari ke gani lokacin da wannan dokar take rayuwa, kuma yana ba ku ƙarin maye gurbin masu tsaurin-ra'ayi huɗu masu dacewa da nau'ikan amfani daban-daban.

Syntax, layi-da-layi

Cikakken takardar dokokin yanayin-gwaji na Firestore layi shida ne:

firebase
rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /{document=**} {
      allow read, write: if true;
    }
  }
}

An bayyana:

  • rules_version = '2'; yana zaɓar injin dokokin v2 (na yanzu). Tsofaffin dokokin v1 sun ƙare.
  • service cloud.firestore yana kayyade block zuwa Firestore. Realtime Database tana amfani da nau'in syntax na JSON daban; Cloud Storage tana amfani da service firebase.storage.
  • match /databases/{database}/documents yana haɗa bayanan (default) na musamman (mafi yawan ayyukan suna da ɗaya ne kawai).
  • match /{document=**} wildcard mai sake komawa ne. ** yana dacewa da kowane hanya na kowane zurfi. Tare da {document}, wannan yana kama kowane takarda a kowane tarin — wani shari'ar dacewa ɗaya da ke mulkin duka bayanan.
  • allow read, write: if true; jikin doka ne. Duka read da write ana ba da izini; sharaɗin if true, koyaushe gaskiya ne. read yana rufe ayyukan get da list; write yana rufe create, update, da delete.

Tasiri: kowane abokin ciniki tare da Firebase project ID da SDK daidai zai iya karanta ko rubuta kowane takarda a kowane tarin. Tabbatarwa ba ta da buƙata. Iyakokin rate ba sa aiwatarwa.

Me yasa Firebase ke aika wannan a matsayin tsohuwa

Firebase yana son ku riƙa coding a cikin daƙiƙa 30 na farko bayan ƙirƙirar aiki. Maye gurbi — sa ku rubuta dokar daidai kafin kowane karatu ko rubutu ya yi aiki — zai toshe shigarwa. Don haka Console yana ba da zaɓuɓɓuka biyu lokacin da kuka ƙirƙira bayanai: yanayin Samarwa (hana komai, kuna rubuta dokoki) ko yanayin Gwaji (bayar da izini ga komai na kwana 30). Yawancin masu haɓakawa suna danna yanayin gwaji, sannan suna manta dawowa. Ayyukan tsofaffi suna da agogon kwana 30; ayyukan yanzu suna da dokar if true mara iyaka ba tare da karewar atomatik ba.

Matsalar tsari: kayan aikin coding na AI suna horar akan takardu, koyarwa, da amsoshin Stack Overflow waɗanda suke nuna dokokin yanayin-gwaji. Lokacin da kuka tambayi Cursor ko Claude Code "yaya zan saita Firebase," amsar sau da yawa tana haɗa da ainihin block allow read, write: if true kamar dai ita ce dokar samarwa. AI ba ya sani — kuma ba a buƙace shi ya sani ba — cewa wannan dokar ba ta amintacciya don samarwa ba.

Abin da mai kai hari ke gani

A bayyane, mai kai hari da ya san ID na aikin Firebase ɗinku (ana iya cire daga kowane haɗakar manhajar da aka aika a daƙiƙa 30) kuma yake gudanar da masu zuwa zai iya jera kowane takarda a kowane tarin:

Buƙatar curl marar tabbatarwa ɗaya ta isa don ƙidaya kowane tarin. Duba block mai haske a ƙasa.

bash
curl 'https://firestore.googleapis.com/v1/projects/[project-id]/databases/(default)/documents:listCollectionIds' \
  -X POST \
  -H 'Content-Type: application/json' \
  -d '{}'

Amsa shi ne cikakken jerin tarin manyan. Ga kowane tarin, buƙatar ta biyu tana komawa da takardu. Babu iyakar rate akan wannan hanyar saboda dokokin if true suna karɓar tubali marar suna. Mun ga bayanan Firebase tare da miliyoyin takardu da aka ƙidaya a ƙasa da sa'a ɗaya.

Akan hanyar rubutu: POST ɗaya tare da {fields} yana ƙirƙirar sabon takarda. Masu kai hari na iya gurɓata tarinku da shara, lalata shafuka masu fuskantar mai amfani waɗanda suke karantawa daga Firestore, ko amfani da bayananku a matsayin mai watsa saƙon kyauta — biyanku yana hauhawa, kun bincika, biyan yana bayyana matsalar.

Maye gurbi huɗu na samarwa-mai-aminci

Zaɓi maye gurbin da ya dace da samfurin bayanan manhajarku. Duka huɗu suna ɗaukar cewa kuna da tabbatar da mai amfani (Firebase Auth ko kowane mai bayar da shaida da ke ba da Firebase ID token):

Zaɓi 1: Takardu na mai-amfani-mallaka

Mafi yawan siffar SaaS. Takardu suna rayuwa ƙarƙashin /users/{userId}/... kuma kawai mai mallaka zai iya taɓa su. match /users/{userId}/{document=**} { allow read, write: if request.auth != null && request.auth.uid == userId; }

firebase
match /users/{userId}/{document=**} {
  allow read, write: if request.auth != null
                     && request.auth.uid == userId;
}

Zaɓi 2: Shafin mai mallaka akan kowane takarda

Lokacin da takardu suka rayu a cikin tarin lebur (ba a haɗe ƙarƙashin user ID ba), adana shafin owner_uid kuma duba shi. match /posts/{postId} { allow read: if resource.data.public == true || resource.data.owner_uid == request.auth.uid; allow write: if request.auth.uid == resource.data.owner_uid; }

firebase
match /posts/{postId} {
  allow read:  if resource.data.public == true
              || resource.data.owner_uid == request.auth.uid;
  allow write: if request.auth.uid == resource.data.owner_uid;
}

Zaɓi 3: Keɓancewar org na multi-tenant

Don SaaS na B2B tare da bayanan org-scoped. Adana shafin org_id akan kowane takarda kuma duba shi akan custom claim na mai amfani. allow read, write: if request.auth.token.org_id == resource.data.org_id;. Yana buƙatar saita custom claim yayin sa hannu ta Firebase Admin SDK.

firebase
allow read, write: if request.auth.token.org_id == resource.data.org_id;

Zaɓi 4: Abun ciki na jama'a na karatu-kawai

Don abun ciki na tallace-tallace, bayanan jama'a, kasidar samfuran — duk wani abu da yake na gaske karatu-jama'a amma-rubutu-admin-kawai. match /products/{productId} { allow read: if true; allow write: if request.auth.token.admin == true; }. Custom claim admin ana saita shi akan asusun admin kawai.

firebase
match /products/{productId} {
  allow read:  if true;
  allow write: if request.auth.token.admin == true;
}

Tambayar bincike mai sauri

Kafin gyara, duba ko if true yana raye gaske. Buɗe Firebase Console → Firestore → Rules kuma binciki if true. Idan kun same shi a ko'ina a waje da sharhi, kuna da ganowar dokar-bude. Mai kwaikwayar Dokokin a cikin UI guda yana ba ku damar sake kunna buƙatar mai kai hari a gida — manna marar tabbatarwa GET /users/somebody kuma tabbatar da mai kwaikwayon yana mayar da An Yarda.

Tabbatarwa ta waje: gudanar da binciken FixVibe akan URL ɗin samarwarku. Binciken baas.firebase-rules yana bincika dokokin Firestore, Realtime Database, da Storage kuma yana ba da rahoton ganowa iri ɗaya da mai kai hari zai gano — ban da abin da Firebase Console ke nunawa.

Tambayoyin da ake yawan yi

Mene ne bambanci tsakanin <code>if true</code> da <code>if request.auth != null</code>?

if true yana ba da izinin damar marar suna — kowa a intanet. if request.auth != null yana buƙatar kowane mai amfani da aka sa hannu, wanda ya fi kyau amma har yanzu kuskure ne: kowane mai amfani da manhajarku zai iya karanta bayanan kowane mai amfani daban. Dokokin samarwa dole ne su dace zuwa takamaiman mai amfani ko org ta hanyar request.auth.uid == resource.data.owner_uid ko makamancin haka.

Shin Firebase ta taɓa karkata dokokin <code>if true</code> ta atomatik?

Tsofaffin ayyukan (kafin-2023) suna da agogon kwana 30 da ya juya dokokin if true zuwa if false. Ayyukan yanzu ba su yi haka ba — dokar tana tafiya har abada har sai an maye gurbinsu da hannu. Idan kun ƙirƙira aikinku kafin 2023 kuma dokokinku suna kallon kyau, duba sau biyu: agogo na iya kuma ya juya su zuwa if false, wanda ke toshe manhajarku.

Shin zan iya amfani da bincika timestamp na kwanan-wata-na-gaba a matsayin tashar tsaro?

A'a — yanayin timestamp ba kula da tsaro ba ne. Yana karewa dokar buɗe akan kwanan wata na gaba, wanda ke nufin har zuwa wannan kwanan masu kai hari suna da cikakken dama. Kuma za ku manta da kwanan. Maye gurbin if true da dokar kayyade-auth, ba kayyade-lokaci ba.

Idan manhajata ta gaske karatu-jama'a (blog, kasidar samfuran)?

To, a bayyane rubuta allow read: if true; allow write: if false; akan tarin jama'a kawai — ba akan kowane tarin a bayananku ba. Yi amfani da shari'ar match daban kowane tarin kuma kar a taɓa amfani da wildcard {document=**} mai sake komawa akan dokokin masu rubuta.

Matakai na gaba

Gudanar da binciken FixVibe akan URL ɗin samarwarku — binciken baas.firebase-rules yana tabbatar ko if true a halin yanzu yana iya amfani daga intanet na jama'a. Don aikin na'urar bincike da gano daidaitacciya don Realtime Database da Storage, duba Na'urar bincike ta dokokin Firebase. Don daidaitacciyar ajin kuskuren saiti akan Supabase, karanta Na'urar bincike ta Supabase RLS.

// yi bincike kan saman BaaS naka

Sami teburin bude kafin wani ya same shi.

Sakawa URL ɗin samarwa. FixVibe yana ƙidaya masu samar da BaaS da manhajarku ke magana da su, yana yi musu fingaprint na ƙarshen jama'a, kuma yana ba da rahoton abin da abokin ciniki marar tabbatarwa zai iya karantawa ko rubuta. Kyauta, ba shigarwa, ba kati.

  • Matakin kyauta — 3 bincike / wata, ba kati na sa hannu.
  • Fingaprinta BaaS mai shiru — babu buƙatar tabbatar da dama.
  • Supabase, Firebase, Clerk, Auth0, Appwrite, da ƙarin.
  • Umarni na gyara AI a kan kowane gano — manna komawa zuwa Cursor / Claude Code.
Gudanar da binciken BaaS kyauta

ba buƙatar sa hannu

An bayyana Firebase allow read, write: if true: abin da yake yi da yadda ake gyara shi — Docs · FixVibe