is there a way to authenticate user role in firebase storage rules? [duplicate]

5
votes

I am trying to restrict firebase storage based on user role.

Database:
    users
        <uid>
            admin=false
            ... ... ...

I am trying to use the following kind of rule in firebase storage:

root.child('users').child(auth.uid).child('user').child('admin').val() == true

I am getting access denied after adding this to the write rule.

Thanks.

1
firebasefirebase-realtime-databasefirebase-authenticationfirebase-securityfirebase-storage
The Firebase Storage security rules cannot refer to data in the Database. See this answer or this one for ways to do something like role-based security.Frank van Puffelen
Thanks Frank. Its a little hacky, but I guess thats all I can do for now.Ahsan
You can use "custom claims", you have to set the custom claims in one of your Firebase Functions, but they'll be passed to Firebase Storage.Ryan Taylor

1 Answers

3
votes

As Frank van Puffelen pointed out in his comment:

function isAdminUser() {
    return request.auth.uid in {
        "yaddayadddayaddUserIDKey":"User Name1"
    };
}

service firebase.storage {
    match /b/<appName>.appspot.com/o {
        match /{allPaths=**} {
            allow read;
            allow write: if request.auth != null && isAdminUser();
        }
   }
}