does the firebase database online editor ignore security rules

Question

I have rules set up that ensure a foreign key like constraint: when I put data at a certain path, the key is validated to exist at another node.

Rule snippet:

"app": {
  "freebies": {
     "$provider_id": {
          ".validate": "newData.parent().parent().parent().child('app').child('providers').child($provider_id).val() != null"
        }
      }

}

If I run a simulation with these params

Write to /app/freebies width data: {"totally_fake": 1}

This fails, which is CORRECT.

On the other hand, if I just go to the online editor and add a node to the same location with the same data, it writes the DB without errors.

My question is: does the online editor bypass the security rules ?

score 5 · Accepted Answer · answered May 12 '17 at 19:29

5

Yes, it does. The Firebase console, as well as the Admin SDKs, bypass security rules and have "administrative" access to the Realtime Database.

answered May 12 '17 at 19:29

Michael Bleigh

25,334
2
79
85

thanks for the fast response Michael ! Love your product. – Ashton May 12 '17 at 19:42
I thought it was my rules that was out of order. I think this should be stated when writing rules in the console or uploading to the storage. Might be obvious for some – was not to me. – unitario Apr 24 '18 at 13:07

does the firebase database online editor ignore security rules

1 Answers1

Linked

Related