I am a beginner with Firebase and I have a theoretical question. I have a database in Firebase and I have a web application which was built by ReactJS. In the databse I have a user collection with for example email and password and isAdmin property. So, where isAdmin is equal 1, those users would be the administrators. After the login, I can check the user's isAdmin value, BUT what if somebody change the JS conditionon on the client side? If he change the isAdmin parameter on the client side, he can reach the administrator part of the site? I have read artciles about this topics but I don't get how this security mechanism work. So is this an existing threat or I missed something? Thanks for the explanations and the answers!
Asked
Active
Viewed 62 times
1 Answers
0
You'd typically ensure that the isAdmin property can only be set by authorized users.
In many of my demo projects I put a list of UIDs of users who have full access under a node called whitelist:
whitelist
UID1: true
UID2: true
And then in my security rules for my database, I specify that users who are whitelisted have full write access:
{
"rules": {
".read": true,
".write": "root.child('whitelist').child(auth.uid).exists()"
}
}
Now with this simple setup all users can read the entire database. But only admins can write everywhere in the database. Regular users won't have the ability to add their own UID to the whitelist, since they're not admins.
Some related questions that might be useful:
Frank van Puffelen
- 565,676
- 79
- 828
- 807