In Firebase storage, can I use db "get" rules?

Question

I'm trying to secure my Firebase (google cloud storage) files based on user data. In firestore, I use a rule based on getting database content (look up the uid in users table and match a field) and that's working fine. I'm trying to use the same kind of rules in firebase storage but in the simulator I get Error: simulator.rules line [12], column [17]. Function not found error: Name: [get].; Error: Invalid argument provided to call. Function: [get], Argument: ["||invalid_argument||"]. My rules look like this:

  match /b/{bucket}/o {
    function isAuth() {
      return request.auth != null && request.auth.uid != null
    }
    function isAdmin() {
      return isAuth() &&
      "admin" in get(/databases/$(database)/documents/users/$(request.auth.uid)).data.roles;
    }
    function clientMatch(client) { // expects user's "client" field to be ID of client
      return isAuth() &&
      client == get(/databases/$(database)/documents/users/$(request.auth.uid)).data.client;
    }
    match /P/Clients/{client}/{allPaths=**} {
      allow read, write: if isAdmin() || clientMatch(client);
    }
  }
}

Line 12 is the one beginning client == get, in clientMatch(). I haven't been able to tell whether these functions are only supported for Firestore (db) rules, or whether they should work for storage as well.

If this doesn't work, what are my options? How do people look up user data for Firebase storage security?

score 10 · Accepted Answer · answered Feb 27 '19 at 16:53

10

You currently can't reference Firestore documents in Storage rules. If you would like to see that as a feature of Storage rules, please file a feature request.

Consider instead using a Cloud Functions storage trigger to perform some additional checks after the file is uploaded, and remove the file if you find that it's not valid.

answered Feb 27 '19 at 16:53

Doug Stevenson

297,357
32
422
441

2

It's mostly not about write, but about restricting reads. I don't want clients to see one another's files! – GaryO Feb 27 '19 at 16:56
If I could use a cloud function to edit my Storage rules on creation of a new user, that's pretty gross but it would work -- is that possible? – GaryO Feb 27 '19 at 16:57
(The rules file is going to get pretty long though!) – GaryO Feb 27 '19 at 16:57
You can't do that either. – Doug Stevenson Feb 27 '19 at 16:59
Hmm. Googling around I see some discussion of "custom claims" in the auth record; will those work for me? I.e. store the client ID in the custom claims and match that in the Firebase storage rules? (e.g. https://firebase.google.com/docs/auth/admin/custom-claims) – GaryO Feb 27 '19 at 17:05
1

You can use custom claims. – Doug Stevenson Feb 27 '19 at 17:28
As Doug said custom claims works fine. Saves you a read on firestore too if you are using them for firestore rules. – MadMac Jul 22 '21 at 22:50
I posted an answer here: https://stackoverflow.com/a/73497822/188740 – Johnny Oshika Aug 26 '22 at 07:56

score 2 · Answer 2 · answered Oct 01 '22 at 08:27

This is now possible with cross-service security rules. You have to use firestore. namespace before the get() and exists() functions as shown below:

function isAdmin() {
  return isAuth() && "admin" in firestore.get(/databases/$(database)/documents/users/$(request.auth.uid)).data.roles;
}

Do note that you'll be charged for read operations just like in Firestore security rules.

In Firebase storage, can I use db "get" rules?

2 Answers2

Linked