is there a way to authenticate user role in firebase storage rules?

Question

I am trying to restrict firebase storage based on user role.

Database:
    users
        <uid>
            admin=false
            ... ... ...

I am trying to use the following kind of rule in firebase storage:

root.child('users').child(auth.uid).child('user').child('admin').val() == true

I am getting access denied after adding this to the write rule.

Thanks.

The Firebase Storage security rules cannot refer to data in the Database. See [this answer](http://stackoverflow.com/questions/38188459/create-group-access-to-firebase-storage-without-using-custom-authorization) or [this one](http://stackoverflow.com/questions/38157858/firebase-storage-whats-the-proper-rules-for-user-based-uploading-deleting) for ways to do something like role-based security. — Frank van Puffelen, Aug 28 '16 at 04:00
Thanks Frank. Its a little hacky, but I guess thats all I can do for now. — Ahsan, Aug 28 '16 at 20:05
You can use "custom claims", you have to set the custom claims in one of your Firebase Functions, but they'll be passed to Firebase Storage. — Ryan Taylor, Mar 27 '19 at 22:03

Ahsan · Accepted Answer · 2016-12-07T20:17:26.957

3

As Frank van Puffelen pointed out in his comment:

function isAdminUser() {
    return request.auth.uid in {
        "yaddayadddayaddUserIDKey":"User Name1"
    };
}

service firebase.storage {
    match /b/<appName>.appspot.com/o {
        match /{allPaths=**} {
            allow read;
            allow write: if request.auth != null && isAdminUser();
        }
   }
}

edited Dec 07 '16 at 20:17

answered Aug 28 '16 at 20:05

Ahsan

2,964
11
53
96

1

The is admin function seems to be hardcoded values. Is this currently the only option? – Jay Byford-Rew Dec 07 '16 at 16:57
Unfortunately, this is all there is for now. – Ahsan Dec 07 '16 at 20:19

is there a way to authenticate user role in firebase storage rules?

1 Answers1

Linked

Related