2

Is there a way to protect the database from deletion? I mean it's very easy to click on the "x" next to the root node. This would destroy the whole app and cause an enourmous mess to deal with.

How to deal with this fragility?

EDIT:

Let's assume I have two firebase accounts: one for testing and one for the launched app. I regularly log in and out to use the other one. On the test account I delete whole nodes on a regular basis. An activated password protection would avoid a very expensive confusion of the two accounts.

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
MJQZ1347
  • 2,607
  • 7
  • 27
  • 49
  • 2
    Have you tried to delete it? Unless you're holding shift, deleting anything requires additional confirmation in a dialog. – Travis Christian Dec 13 '16 at 18:52
  • Even with the additional popup it's too easy. Just think of a situation where you accidently leave your laptop unattended or it gets stolen/lost and someone plays with it. There should be a mode with which any deletion should require entering your password. – MJQZ1347 Dec 13 '16 at 18:54
  • 3
    If it's data _security_ you're worried about, you should be thinking about regular backups, project access permissions, and physically securing your computer. Once a malicious user is logged in to your console all bets are off. – Travis Christian Dec 13 '16 at 19:03
  • 1
    This would be the same as logging into your banking website and leaving the computer unattended. We've been using Firebase for about 3 years and never had any data deleted. – Jay Dec 13 '16 at 19:47
  • But my banking website would need me to enter a sequence of numbers for transfering money. See updated question for a more fitting scenario. – MJQZ1347 Dec 13 '16 at 20:49

1 Answers1

1

If you give a user edit access to the Firebase Console of your project, the user is assumed to be an administrator of the database. This means they can perform any write operation to the database they want and are not tied to your security rules.

As a developer you probably often use this fact to make changes to your data structure while developing the app. For application administrators, you should probably create a custom administrative dashboard, where they can only perform the actions that your code allows.

There is no way to remove specific permissions, such as limiting the amount of data they can remove. It could be a useful feature request, so I suggest posting it here. But at the moment: if you don't trust users to be careful enough with your data, you should not give them access to the console.

As Travis said: setting up backups may be a good way to counter some of this anxiety.

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807