Creating Firebase Storage Security Rules Based on Firebase Database Conditions [duplicate]

3
votes

Is it possible to assign Firebase Storage security rules based on evaluating a condition from data stored in Firebase Realtime Database?

For Example:

(1) Firebase Storage Model:

{ userPhotos/:
       "JohnUID" : {
           "JohnURL": john.jpeg,
       },

       "JaneUID" : {
            "JaneURL": jane.jpeg,
        },

        "AbbyUID" : {
             "AbbyURL": abby.jpeg,
        },
 }

(2) Firebase Realtime Database Model:

{ userReadPermissions: 
       "JohnUID": {
           "JohnUID": true,
           "JaneUID": true,
           "AbbyUID": false,
       },

       "JaneUID": {
           "JohnUID": true,
           "JaneUID": true,
           "AbbyUID": false,
       },

       "AbbyUID": {
           "JohnUID": false,
           "JaneUID": false,
           "AbbyUID": true,
       },
}

The goal is to only allow read permissions to the photo URL storage node (1) according to the conditions set by each UID in Firebase RTD (2).

For example, John's photo would only be visible to John & Jane, but not Abby, as the per the permissions defined by each user in (2).

Similarly, Jane's photo would only be visible to John & Jane, but not Abby, while Abby's photo would be visible to Abby only, and to neither John or Jane.

Is there a way to cross-reference conditions defined across these Firebase services to define security rules accordingly?

1
firebasefirebase-realtime-databasefirebase-storagefirebase-security

1 Answers

2
votes

There is no way to access the Firebase Realtime Database from Firebase Storage security rules.

You will either have to encode the read permissions directly into the Storage security rules (as shown here), or encode the "membership" into a small set of custom claims.

Also see: