9

So I'm trying to set rules into storage, but I need to access to firestore to set it right.

Here is my example:

Into my firestore database I have a users collection which have a collection named items. The path look like this: /users/items/{itemId}

I want that a user can read and write a file into storage with this path: /items/{id}/file.png only if the {id} of the item already exist into the items collection of firestore database. Is there a way to set correctly rules into storage using firestore ?

I tried this:

service firebase.storage {
  match /b/{bucket}/o {
    match /items/{item}/{allPaths=**} {
        allow read, write: if exists(/databases/{database}/documents/users/$(request.auth.uid)/items/$(item));
    }
  }
}

But this doesn't work :/

Thanks for your help!

Frank van Puffelen
  • 499,950
  • 69
  • 739
  • 734
Frost
  • 134
  • 1
  • 11

1 Answers1

10

There is no way for security rules of one Firebase product to refer to another Firebase product. The performance implications would be too big.

If such inter-product consistency is a requirement for you, you might want to consider doing the writes from Cloud Functions. While that doesn't suddenly allow cross-product security rules, it does mean that you an ensure it is your code doing the writes and the code is running in a more reliable environment then the average user's phone or PC.

Frank van Puffelen
  • 499,950
  • 69
  • 739
  • 734
  • Okay, so I will take a look at Cloud Functions. Thanks for you answer! :) – Frost Mar 01 '18 at 16:17
  • This was helpful. If you upload an image to Firebase Storage via Cloud function though, how would that work? I would then have to upload the image file or sound file to Cloud Function first. I know you could convert image into a long string then upload it to cloud function, but are there other more efficient, better ways to do this? I am worried a hacker may upload billions of images to my Cloud Storage if I do not move uploading to be only done through cloud function. Is this worry unnecessary? – coolcool1994 Mar 23 '20 at 20:46
  • Hi Frank, I have the same question 3 years later. I want to upload an image to the user profile (in the storage), but I need to check if the user is the profile owner to authorize, the answer is located in firestore (example owner = uid). Is there new way to that 3 years later ? The alternative way is to set the path of the profile the same as the uid of the user (so I can check if path = uid of the user who made the request). But is it a security issue that everyone knows the user uid of the other users ? Thank you. – Max May 07 '21 at 13:03
  • Nothing changed here. Knowing the UID of a user is no security risk. See https://stackoverflow.com/questions/37221760/firebase-is-auth-uid-a-shared-secret – Frank van Puffelen May 07 '21 at 14:28