0
votes

I am building a web-app using firestore that allow users to corporate on projects and share files in each project. I am trying to setup firebase storage rules to control the users read rights to each file so only a user that participate in a project can read that file. I write the UID's of each user that has the right to read a file to metadata, so the metadata custom data contains value pairs like: 'user0': uid0, 'user1': uid1, etc. My question is how can I setup a storage rule that allow only user with their uid in metadata to read a file. I have tried with something like this:

allow read: if request.auth.uid in resource.metadata;

but it doesn't work. The only thing I can get to work is:

 allow read: if request.auth.uid == resource.metadata.user0 ||
                                 request.auth.uid == resource.metadata.user1 ||
                     request.auth.uid == resource.metadata.user2 ||
                     request.auth.uid == resource.metadata.user3 ||
                     request.auth.uid == resource.metadata.user4 ||
                     request.auth.uid == resource.metadata.user5 ||
                     request.auth.uid == resource.metadata.user6 ||
                     request.auth.uid == resource.metadata.user7 ||
                     request.auth.uid == resource.metadata.user8 ||
                     request.auth.uid == resource.metadata.user9;

but then I have to decide up front how many user can share a file and that doesn't fulfil my project requirements.

Is there way to make something like 'if request.auth.uid in resource.metadata' work? Or can somebody recommend another way of handling file access rights, where I can give a variable number of users rights to each file?

1

1 Answers

2
votes

Instead of using keys named user0, use the actual UID of the user as the metadata key, and assign it some dummy value like "1". Now your rule is much easier to write. It might go something like this:

allow read: if resource.metadata[request.auth.uid] == "1";

And you can have as many users as will fit into the editable metadata payload.