Is it possible to setup Firebase Storage rules to check parameters in Firebase firestore?

Asked Nov 10 '20 at 22:44

Active Nov 10 '20 at 22:44

Viewed 21 times

So I'm fairly new to firebase security rules but I'd like to grant write access only to specific admin users. The issue is, my users collection is stored in cloud firestore while images are stored in storage. This is the code I've written so far, not realizing that get can only be called from within firestore rules:

rules_version = '2';
service firebase.storage {
  match /b/{bucket}/o {
    match /{allPaths=**} {
    
    function isAdmin(userId) {
        let user = get(/databases/$(database)/documents/users/$(userId));
      return user.admin;
        }
      allow read: if request.auth != null;
      allow write: if request.auth != null && isAdmin(request.auth.uid);
    }
  }
}

Any ideas on how to make this work?

asked Nov 10 '20 at 22:44

Kristian Martinez

1

Nope. Firebase Storage security rules only have access to the user's auth token, and to the metadata of the affected file. So you will have to store the user's status in their auth token, typically as a custom claim. Also see https://firebase.google.com/docs/rules/basics#custom-claim_attributes_and_roles – Frank van Puffelen Nov 10 '20 at 22:55
Thanks Frank I will try this out – Kristian Martinez Nov 10 '20 at 23:50

Is it possible to setup Firebase Storage rules to check parameters in Firebase firestore?

0 Answers0