问题描述
我使用firebase的 .on()
事件侦听器实时侦听插入到数据库中的条目。我注意到,即使在数据插入被拒绝的情况下,订阅了引用数据的用户也应该插入数据,即使在数据库中数据永远不会被插入。 b
$ b
我在开发我的web应用程序的聊天模块时注意到了这一点。这是一个错误的gif:
我已经对新消息设置了一个验证规则,它们的长度必须在200以下:
$ msg:{.validate:newData.val()。length< 200}
所以,当你看到我粘贴了一堆信件,控制台说,写入被拒绝,但具有 .on()
订阅该部分的用户的数据库仍然得到了消息,即使它没有被添加到数据库。
不管怎样,这不是一个真正的职位,只是想分享这个可能导致数据泄露的奇怪的错误。
当服务器拒绝写入时,它会删除不正确的缓存数据,你应该看到相应的 child_removed
事件。
I'm using firebase's .on()
event listener to listen for entries inserted into my database in real time. I've noticed that even when a data insertion is denied, a user subscribed to the ref the data was supposed to be inserted into still gets that piece of data, even though in the database the data is never inserted.
I noticed this while developing the chat module of my web app. Here is a gif of the bug: https://gfycat.com/VariableFrailBasenji
I've set a validation rule on new messages that their length has to be under 200:
"$msg": { ".validate": "newData.val().length < 200"}
So when you see me paste in a bunch of letters, the console says the write gets denied, but the user who had the .on()
subscription to that part of the database still got the message, even though it didn't get added to the database.
Anyways, this isn't really a post with a question, just wanted to share this strange bug that could potentially lead to data leakage.
The Firebase SDK uses advanced techniques like latency compensation when you write to the database. This means that before the server has acknowledged a write it goes into an in-memory database cache and optimistically assumes the write will be allowed.
When the server denies the write, it will remove the incorrectly cached data and you should see a corresponding child_removed
event.
这篇关于权限被拒绝仍被添加到.on()侦听器的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!