4
votes

I am currently writing a web site using NodeJS, HTML, and Firebase for Database services, authentication, and storage. The problem that I am currently having is that Firebase Storage rules do not work according to my interpretation of the documentation.

The directory structure for my Firebase Storage instance is as following (with obviously fake uid's):

/
└─ users/
   ├─ a67dhfa7dhf96/
   │   ├─ picture.jpg
   │   └─ private/
   │       └─ privateDetails.txt
   └─ h9dh91hf7edgn/
       ├─ picture.jpg
       └─ private/
           └─ privateDetails.txt

I would like to make it so that the files that are stored in the different users files are readable by any user whether they are authenticated or not, and then make the files in the private folder only available to a logged in user. My current Firebase Storage rules look like this:

service firebase.storage {
    match /b/{bucket}/o {
        match /users/{userId} {
            match /* {
                allow read;
            }
            match /private {
                allow read, write: if request.auth != null;
            }
        }
    }
}

With these rules, I always get a 403: "Permission denied. Could not perform this operation" on any file without using the custom download tokens that Firebase Storage supplies whether the files are in the private directories or not. I have also tried the following rules, also resulting in a 403 for every file.

service firebase.storage {
    match /b/{bucket}/o {
        match /users/{userId}/* {
            allow read;
        }
        match /users/{userId}/private {
            allow read, write: if request.auth != null;
        }
    }
}

Why do these sets of rules not work like they should?

1

1 Answers

0
votes

You should use wildcards to match /users/{userId}/*.

service firebase.storage {
    match /b/{bucket}/o {
        match /users/{userId} {
            match /{imageId}{
              allow read;
            }
            match /private/{imageId}{
              allow read, write: if request.auth != null;
            }
        }
    }
}