使用集合让一切井井有条
根据您的偏好保存内容并对其进行分类。
Firebase Security Rules
plat_ios
plat_android
plat_web
plat_flutter
plat_node
使用我们灵活、可扩展的 Firebase 安全规则可保护您在 Cloud Firestore、Firebase Realtime Database 和 Cloud Storage 中存储的数据。
Firebase Security Rules 是您的数据与恶意用户之间的屏障。您可以编写简单或复杂的规则来保护您的应用数据,使其达到特定应用所需的细化级别。
Firebase Security Rules 利用灵活的可扩展配置语言来定义用户可以访问 Realtime Database、Cloud Firestore 和 Cloud Storage 的哪些数据。Firebase Realtime Database Security Rules 在规则定义中采用 JSON 格式,而 Cloud Firestore Security Rules 和 Firebase Security Rules for Cloud Storage 利用独特的语言,以适应专用于更复杂规则的结构。
详细了解如何为您在应用中使用的特定 Firebase 产品设置 Rules,以及 Rules 行为在各种 Firebase 产品中有何不同。
开始
主要功能
灵活性 |
编写对您的应用结构和行为有意义的自定义规则。
Rules 使用多种语言来让您利用自己的数据对访问授权。
|
细化程度 |
视您的需求而定,您的规则可以很宽泛,也可以很具体。
|
独立的安全性 |
由于 Rules 是在您的应用之外(在 Firebase 控制台或 Firebase CLI 中)定义的,因此客户端不负责强制执行安全性,bug 不会造成数据泄露,并且您的数据始终受到保护。
|
规则的工作原理
Firebase Security Rules 的工作原理如下:将一种模式与多个数据库路径相匹配,然后应用自定义条件允许对这些路径上的数据进行访问。Firebase 产品中的所有 Rules 都有一个路径匹配的组件和一个允许进行读取或写入访问的条件语句。您必须为在应用中使用的每个 Firebase 产品定义 Rules。
对于 Cloud Firestore 和 Cloud Storage,Rules 使用以下语法:
service <<name>> {
// Match the resource path.
match <<path>> {
// Allow the request if the following conditions are true.
allow <<methods>> : if <<condition>>
}
}
对于 Realtime Database,基于 JSON 的 Rules 使用以下语法:
{
"rules": {
"<<path>>": {
// Allow the request if the condition for each method is true.
".read": <<condition>>,
".write": <<condition>>
}
}
}
Rules 作为 OR
语句而不是 AND
语句进行应用。因此,如果多条规则都与一个路径相匹配,只要其中有一项匹配的条件授予访问权限,Rules 就会授予对该路径上数据的访问权限。所以,如果宽泛的规则授予了对数据的访问权限,您无法通过更具体的规则来限制访问权限。但是,您可以通过确保 Rules 没有过多重叠来避免这一问题。Firebase Security Rules 将匹配路径中的重叠标记为编译器警告。
Firebase Security Rules 还可以利用 Authentication 来授予基于用户的权限,您设置的条件可以非常基本,也可以异常复杂。在开始编写 Rules 之前,请详细了解 Rules 语言和行为。
实现流程
后续步骤
如未另行说明,那么本页面中的内容已根据知识共享署名 4.0 许可获得了许可,并且代码示例已根据 Apache 2.0 许可获得了许可。有关详情,请参阅 Google 开发者网站政策。Java 是 Oracle 和/或其关联公司的注册商标。
最后更新时间 (UTC):2025-07-24。
[null,null,["最后更新时间 (UTC):2025-07-24。"],[],[],null,["Firebase Security Rules \nplat_ios plat_android plat_web plat_flutter plat_node \nUse our flexible, extensible Firebase Security Rules to\nsecure your data in Cloud Firestore, Firebase Realtime Database, and\nCloud Storage.\n\nFirebase Security Rules stand between your data and malicious users. You can write simple or\ncomplex rules that protect your app's data to the level of granularity that\nyour specific app requires.\n\nFirebase Security Rules leverage\nextensible, flexible configuration languages to define what data your users\ncan access for Realtime Database, Cloud Firestore, and Cloud Storage.\nFirebase Realtime Database Security Rules leverage JSON in rule definitions, while\nCloud Firestore Security Rules and Firebase Security Rules for Cloud Storage leverage a unique\nlanguage built to accommodate more complex rules-specific structures.\n\nLearn more about how to set up Rules for the specific Firebase products\nyou use in your app, and how Rules behavior differs across Firebase\nproducts.\n\n[Get started](/docs/rules/get-started)\n\nKey capabilities\n\n|----------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|\n| Flexibility | Write custom rules that make sense for your app's structure and behavior. Rules use languages that allow you to leverage your own data to authorize access. |\n| Granularity | Your rules can be as broad or as narrow as you need. |\n| Independent security | Because Rules are defined outside of your app (in the Firebase console or Firebase CLI), clients aren't responsible for enforcing security, bugs don't compromise data, and your data is always protected. |\n\nHow do they work?\n\nFirebase Security Rules work by matching a pattern against database paths, and then applying\ncustom conditions to allow access to data at those paths. All Rules\nacross Firebase products have a path-matching component and a conditional\nstatement allowing read or write access. You must define Rules for\neach Firebase product you use in your app.\n\nFor Cloud Firestore and Cloud Storage, Rules use the following\nsyntax: \n\n service \u003c\u003cname\u003e\u003e {\n // Match the resource path.\n match \u003c\u003cpath\u003e\u003e {\n // Allow the request if the following conditions are true.\n allow \u003c\u003cmethods\u003e\u003e : if \u003c\u003ccondition\u003e\u003e\n }\n }\n\nFor Realtime Database, JSON-based Rules use the following syntax: \n\n {\n \"rules\": {\n \"\u003c\u003cpath\u003e\u003e\": {\n // Allow the request if the condition for each method is true.\n \".read\": \u003c\u003ccondition\u003e\u003e,\n \".write\": \u003c\u003ccondition\u003e\u003e\n }\n }\n }\n\nRules are applied as `OR` statements, not `AND` statements.\nConsequently, if multiple rules match a path, and any of the matched\nconditions grants access, Rules grant access to the data at that\npath. Therefore, if a broad rule grants access to data, you can't restrict with\na more specific rule. You can, however, avoid this problem by making sure your\nRules don't overlap too much. Firebase Security Rules flag overlaps in your\nmatched paths as compiler warnings.\n\nFirebase Security Rules can also leverage Authentication to grant user-based permissions, and the\nconditions you set can be very basic or incredibly complex. Learn more\nabout Rules [language](/docs/rules/rules-language) and [behavior](/docs/rules/rules-behavior)\nbefore you start writing Rules.\n\nImplementation path\n\n|---|-------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------|\n| | Integrate the product SDKs | Set up [Cloud Firestore](/docs/firestore), [Cloud Storage](/docs/storage), or [Realtime Database](/docs/database) for your app. |\n| | Write your Firebase Security Rules | Learn more about [how Rules work](/docs/rules/rules-behavior) and [set up some basic Rules](/docs/rules/basics) |\n| | Test your Firebase Security Rules | Use the Realtime Database and Cloud Firestore emulators to test your app's behavior and validate your rules before you deploy them to production. |\n| | Deploy your Firebase Security Rules | Use the Firebase console or the Firebase CLI to deploy your rules to production. |\n\nNext steps\n\n- [Understand the Firebase Security Rules language](/docs/rules/rules-language).\n- Learn more about [how Firebase Security Rules work](/docs/rules/rules-behavior).\n- Explore the [common mistakes you should avoid](/docs/rules/insecure-rules)."]]