[ggggtez]

Visible key isn't the bug. The bug is that the app should not have read access to other students.

[anarchodev]

Yep. Although this exact thing has happened to so many apps I’m beginning to doubt the wisdom of this “allow completely open dev settings at first and then YOU get to remember to fix it” model that fire base uses.

Maybe they could require an IP whitelist if the permissions aren’t set yet or something.

[rrix2]

This is the cause of many mongodb and redis woes as well.

[gchamonlive]

permissions are a pain... i am considering centralizing permission handling in a separate service environment so that every service I have shares the same permission logic.

It is a shame since we could save some latency time by having permissions implemented in the same language and app that it is being requested. But to avoid stuff like that in the article I believe the cons are worth it

edit: the user had direct access to the database. No amount of code would mitigate that. Moral of the story is NEVER leave your database open to public, always hide it behind a service wall

[NKCSS]

Security and usability are always at the opposite end of the spectrum. Balance it wisely.

[AmericanChopper]

This is such a dangerous false dichotomy. Plenty of security systems benefit user experience.

[TazeTSchnitzel]

And the security of a system can be completely undermined if nobody uses it because of poor user experience.

[Phillipharryt]

And in fact some systems are only usable because of their security. A bank that gives all accounts the same password could hardly be considered usable, neither could many websites if they did the same.