0

Let's take a simple example. We have the /users node, protected by a rule per user. Then we have the /movies node and each user that watched a movie, the app will add the userid to this movie.

  1. Since users can write to /movies, how can I protect a malicious user from ref.remove() it? I can solve it by adding the movie to the /users/$user and then create a FB function to add it to /movie. Feels strange.

Simply put, how to protect public areas?

  1. Since an authenticated user can write into his area under /users, how do I set quota to prevent malicious user from consuming all my bandwidth, storage, etc?
Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
GuyC
  • 999
  • 1
  • 8
  • 15
  • 2
    It's not a bad idea to use Cloud Functions to maintain areas of data that should be read-only to clients. They can act as a single point of control for consistently managing data that should be distributed in multiple locations. – Doug Stevenson Sep 03 '17 at 10:15
  • In many specific cases, you can prevent problems through Firebase's server-side security rules. But it's impossible to answer this for the general case. One example where Kato explored rate-limiting is: https://stackoverflow.com/questions/24830079/firebase-rate-limiting-in-security-rules – Frank van Puffelen Sep 03 '17 at 12:56

0 Answers0