I have created an app, that allows users to create a simple photo collection. All the data is stored in the Firebase Cloud Firestore. The images are uploaded to Firebase Storage. The owner of a collection can invite any other user to access his collection and upload photos. The sharing of data in Firestore works fine. But now I have problems with writing the security rules for Storage. Does anyone know, how I have to write the rules, so that any user added to the collection can access the images as well? The files for each collection are stored in separate folders.
1
votes
What have you tried so far? Is something with security rules not working the way you expect?
– Doug Stevenson
Yeah it is working, if I add the corresponding user ids to the meta data of each file. But how can I enable the user to upload new files? They do not have any meta data that could be validated against the security rules.
– Mojo
Are you saying that you want to use data in Firestore control access to data in Cloud Storage?
– Doug Stevenson
Yeah exactly, what I’m looking for is a way to allow read and write according to the data in Firestore. Is this possible? I thought about a Cloud Function, but I’m not sure if this is possible.
– Mojo
2 Answers
1
votes
You should look into creating a private group and authenticate the group with help of private token.
https://firebase.google.com/docs/storage/security/user-security#group_private
1
votes
Firebase security rules currently do not bridge between products. You can't use data in Cloud Firestore in security rules for Cloud Storage. The only things you have access to in security rules for Cloud Storage are object metadata and Firebase Authentication custom claims per user. You will have to figure out a way to make changes to either one of those things to implement your permissions.
Alternatively, you can direct all access through Cloud Functions to decide if the user should be able to access the content, but bear in mind that Cloud Functions responses can only be 10MB maximum.
