Firebase Cloud Storage security rule for deleting

Question

Hi I am using Firebase Cloud Storage to develop web application. I would like to set different security rules for setting file from deleting file. It seems that write includes both of them according to the document. Does anyone know how to solve this problem?

What I would like to do is this.

Anyone can set file if they are loggedin.
Only user who set the file can delete it.

Cloud Functions doesn't have security rules. Only Cloud Storage, Cloud Firestore, and Realtime Database have security rules that are enforced for client apps. Cloud Functions using the admin SDK bypass these rules. — Doug Stevenson
Thanks for the response. It was my mistake that I wrote Cloud Function in the title. I edited the title. I wanted to ask about Cloud Storage. — Tsukasa Nomoto

Frank van Puffelen Frank van Puffelen · Accepted Answer · 2018-06-19T02:49:13

You can detect that a file is being deleted with request.resource == null in your rule.

But there is no property in the file objects (that I know of) to know who created the file.

A common approach is to store the files under a path that identifies their creator, e.g. /users/$uid/filename. With that structure you can check like this:

match /users/{userId}/profilePicture.png {
  allow read;
  allow write: if request.auth.uid == userId && request.resource == null;
}

An alternative would be to add an owner property to the metadata of each file and then check:

match /{fileId} {
  allow read;
  allow write: if (request.auth.uid == resource.metadata.owner && request.resource == null);
}

Firebase Cloud Storage security rule for deleting

1 Answers