this post was submitted on 26 Jul 2025
872 points (99.0% liked)

Programmer Humor

25311 readers
158 users here now

Welcome to Programmer Humor!

This is a place where you can post jokes, memes, humor, etc. related to programming!

For sharing awful code theres also Programming Horror.

Rules

founded 2 years ago
MODERATORS
Feyter@programming.dev
anzo@programming.dev
BurningTurtle@programming.dev
pylapp@programming.dev
872
I wonder if this was made by AI or a shit programmer (gregtech.eu)
submitted 2 days ago by lena@gregtech.eu to c/programmer_humor@programming.dev
178 comments fedilink hide all child comments
 
you are viewing a single comment's thread
view the rest of the comments
[–] EmilyIsTrans@lemmy.blahaj.zone 13 points 2 days ago

I agree that this is ultimately a problem with developers lacking security knowledge and general understanding, but my issue with Firestore specifically is that it is a powerful tool that, while it can be adopted as part of a carefully considered tech stack, lends itself most naturally towards being a blunt force instrument used by these kinds of developers.

My main criticism of Firestore is that it offers a powerful feature set that is both extremely attractive to amateur or constrained developers while simultaneously doing a poor job of guiding said amateurs towards creating a secure and well designed backend. In particular, the seemingly expected use case of the technology as something directly interfaced with by apps and other clients, as evidenced by the substantial support and feature set for this use case, is the main issue. This no-code no-management client driven interaction model makes it especially attractive to these developers.

This lack of indirection through an API Gateway or service, however, imposes additional design considerations largely delegated to the security rules which can easily be missed by a beginner. For example:

  1. Many examples of amateurs take an open-by-default approach, only applying access and write restrictions where necessary and miss data that should be restricted
  2. Some amateurs deploy databases with no access or write restrictions at all
  3. There is no way to only allow a "view" of a document to a request, instead a separate document and security rules containing the private fields needs to be created. This can be fairly simple to design around but seems to be a bit of a "gotcha", plus if you have similar but non identical sets of data that needs to be accessible by different groups it must be duplicated and manually synchronized.
  4. Since there is no way to version data models, incompatible changes require complicated workarounds or an increasingly complicated deserialization process on the client side (especially as existing clients continue to write outdated models).
  5. Schema validation of data written by clients to the database is handled by security rules, which is seemingly unintuitive or missed by many developers because I've seen plenty of projects miss it
  6. If clients are writing data directly, it can become fairly complex to handle and subsequently maintain their contributions, especially if the aforementioned private data documents are required or the data model changes.

All of these pitfalls can be worked around (although I would still argue for some layer of indirection at least for writes), but at this point I've been contracted to 2 or 3 projects worked on by "professionals" (derogatory) that failed to account for any of these issues and I absolutely sick to death of it. I think a measure of a tools quality is whether it guides a developer towards good practices by design and I have found Firestore to completely fail in that regard. I think it can be used well, and it is perfectly appropriate for small inconsequential (as in data leaks would be inconsequential) single developer projects, but it almost never is.