Reputation: 650
Firebase Storage security read rule ignored
I've met with some unexpected behaviour when trying to write my Firebase Storage security rules for an Android app.
To test a simple case, I wrote the following rules:
service firebase.storage {
match /b/<my-firebase-storage-bucket>/o {
match /{allPaths=**} {
allow read: if request.auth.uid == "mystery";
allow write: if request.auth.uid == "6EP13cYABCciskhKwMTaXYZHS5g1";
}
}
}
The effect was that I could only upload a file if I logged into my app with the authorised write uid - "6EP13cYABCciskhKwMTaXYZHS5g1" - but I could still read a file regardless of which uid I was logged in with. So it appeared that only the write rule was actually operative; the read rule was being ignored.
To test further, I rewrote the rules as:
service firebase.storage {
match /b/<my-firebase-storage-bucket>/o {
match /{allPaths=**} {
allow read: if false;
allow write: if true;
}
}
}
This allowed me to both upload and read files when logged into my app: again it seemed that only the write rule was operative.
Can anyone think of a possible explanantion for this?
Upvotes: 3
Views: 1421
Answers (1)
Reputation: 38319
You explain in the comment under your question that you use getDownloadUrl() to obtain an URL for the file. You then pass the URL to Glide, which reads the file. The documention for getDownloadUrl() notes that the URL can be used to share the file :
Asynchronously retrieves a long lived download URL with a revokable token. This can be used to share the file with others, but can be revoked by a developer in the Firebase Console if desired.
That suggests to me that the URL is effectively a "shareable link" to the file and security rules defined in Firebase Storage do not apply when the URL is used to access the file. One can think of many cases where it is not possible to apply the rules. For example, when the URL is used in a Glide request, the request does not contain information about the requestor's signed-in UID, it only contains the URL.
If you want to restrict access to a file via the URL, I think you can only do that by restricting access to the URL itself.
Upvotes: 2
Related Questions
- Firebase Storage security rules playground "Simulated read denied"
- Firebase Storage Rules strange behavior
- Firebase Storage read security rules don't seem to be having any effect
- Firebase Storage: User not permitted to access object despite public rules
- Firestore Security Rule denying read/write on firebase-storage
- Firebase Storage Rules - access granted doesn't match rules
- Firebase storage rules "unauthorized"
- Firebase Storage security rule error- User does not have permission
- Firebase storage security rules not working
- Firebase private rule not working for storage