I'm using python 2.7 for my frontend, so I'm forced to using rest api to run cloud functions to manage all storage operations.
Right now I'm trying to set basic rules for storage that do the following:
- All users can read
- Only authenticated users with matching uid can write to their appropriate storage
Here's are the storage rules:
rules_version = '2';
service firebase.storage {
match /b/{bucket}/o {
match /{allPaths=**} {
allow read;
}
match /{userId}/{allPaths=**} {
allow write: if request.auth != null && request.auth.uid == userId;
}
}
}
I noticed that my write rule isn't working, although when using rules playground in the console it verifies and denies as expected.
I hardcoded my cloud function to write into storage with a specific uid in the path, so in theory only that user with the matching uid should be able to write to it. Though if I authenticate with another account it's able to write anyways when it should be getting denied. So why is it ignoring my storage rules?
In Python, I'm calling the endpoint like this:
img_url = "C:/Users/USER/pic.jpg"
with open(img_url, "r") as f:
img_data = f.read().encode("base64")
url = "https://us-central1-[REDACTED].cloudfunctions.net/upload?key={apiKey}".format(apiKey=api_key)
params = {"imgData": img_data, "idToken": id_token, "mediaType": "image/jpeg"}
headers = {"Content-type": "application/json", "Authorization": "Bearer " + id_token}
response = requests.post(url, headers=headers, data=json.dumps(params))
print response
The response will be 200, and the file will successfully write even though the id token I pass is for a different user.
Are storage rules ignored if I'm going through rest? Do I need to validate this myself in the cloud function?
If it matters, in the cloud function I'm using admin.storage.bucket.file.save to write.
