Comment by ko_pivot

Comment by ko_pivot 5 hours ago

0 replies

View on Hacker News

This is such a fantastic bug. Firebase security rules (like with other BaaS systems like Firebase) have this weird default that is hard to describe. Basically, if I write my own API, I will set the userId of the record (a 'boost' in this case) to the userId from the session, rather than passing it in the request payload. It would never even occur to a developer writing their own API past a certain level of experience to let the client pass (what is supposed to be) their own userId to a protected API route.

On the other hand, with security rules you are trying to imagine every possible misuse of the system regardless of what its programmed use actually is.