-
Notifications
You must be signed in to change notification settings - Fork 0
Security
Since this website is to be used by a single group of people, and only users with access to the secret key are to create and manage contacts, a custom database rule was used so that only users who are logged-in with the registration key can create and edit contacts. There is therefore no security risk from an attacker outside the company to access sensitive contact data, or change contacts at will, since they are blocked from ever accessing this data. However, anyone who has the secret key and the correct javascript can access this data. This is one of the main problems with having client-side database writes. It is therefore necessary for users who were terminated from the company to have their accounts suspended through cloud functions such as the accountcleanup function, to prevent these people from logging in again and being malicious.