9

So I'm trying to set rules into storage, but I need to access to firestore to set it right.

Here is my example:

Into my firestore database I have a users collection which have a collection named items. The path look like this: /users/items/{itemId}

I want that a user can read and write a file into storage with this path: /items/{id}/file.png only if the {id} of the item already exist into the items collection of firestore database. Is there a way to set correctly rules into storage using firestore ?

I tried this:

service firebase.storage {
  match /b/{bucket}/o {
    match /items/{item}/{allPaths=**} {
        allow read, write: if exists(/databases/{database}/documents/users/$(request.auth.uid)/items/$(item));
    }
  }
}

But this doesn't work :/

Thanks for your help!

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807
Frost
  • 144
  • 1
  • 11

1 Answers1

12

Update (Oct 2022): it is now possible to access Cloud Firestore from within your Cloud Storage security rules with the new firestore.get() and firestore.exists() function. See the blog post Announcing cross-service Security Rules and the documentation on enhancing Cloud Storage security rules with Cloud Firestore.

Previous answer: There is no way for security rules of one Firebase product to refer to another Firebase product. The performance implications would be too big.

If such inter-product consistency is a requirement for you, you might want to consider doing the writes from Cloud Functions. While that doesn't suddenly allow cross-product security rules, it does mean that you an ensure it is your code doing the writes and the code is running in a more reliable environment then the average user's phone or PC.

Frank van Puffelen
  • 565,676
  • 79
  • 828
  • 807