Reputation: 57
Control Firebase Storage rules from the application level
I have an application in Firestore that stores user files in the cloud. And here's my question, is it possible for me to set rules through the application? At this point I have something like that:
rules_version = '2';
function isAdmin() {
return request.auth !=null && request.auth.uid in [
"Xk60AqYDM4ONw5VOR0v89c8RF9P2",
"3e8kXyjUvUY8WOHp75Z1Y278OO63"
];
}
function companyJP(){
return request.auth !=null && request.auth.uid in [
"CUTSs8oziESYDzPqyv2ac7XOKMD2",
"gqTFDiP7lYeaCaYFd9SG52LCMYF3"
];
}
service firebase.storage {
match /b/{bucket}/o {
match /users/{userID}/{allPaths=**} {
allow read, write: if request.auth.uid == userID;
}
match /files/{groupId}/{allPaths=**} {
allow read: if resource.metadata.owner == request.auth.token.groupId;
allow write: if request.auth.token.groupId == groupId;
}
match /files/adminFiles/{allPaths=**} {
allow read, write: if isAdmin();
}
match /files/companyJP/{allPaths=**} {
allow read, write: if firmaJP();
}
}
}
I would like to set these rules via a web application. Are there any commands for this? Is there anyone who can help me?
Upvotes: 0
Views: 87
Answers (1)
Reputation: 83191
You cannot change the code of the Security Rules from your front-end application.
What you could do in Firestore Security Rules is to base some conditional statements of the rules (e.g. allow read) on either the existence of some Firestore document or on values contained in document fields. For that you would use the get() and exists() functions, as explained here in the doc. So, from your front-end, you could modify the values of those Firestore documents, to dynamically modify the result of the Security Rules statements.
HOWEVER, in your case you are writing rules for Cloud Storage, and it is not possible, in Cloud Storage Security Rules, to access data or documents stored into Firestore.
One solution is to use Custom Claims. You will be able, through Custom Claims, to implement a role-based access control. Concretely, you can assign the companyJP attribute to the account of user CUTSs8oziESYDzPqyv2ac7XOKMD2 (Please read the doc for more precise details).
And you can, from your front-end application, allow some specific (admin) users to change the claims (i.e. the roles) of other users. Since Custom Claims can only be set from a privileged server environment by the Firebase Admin SDK, the easiest way is to use a Callable Cloud Function that you call from your front-end (and in which you check that the user who is calling the Cloud Function has the Admin privilege).
You will probably be interested by this article which explains how to build a module which allows Firebase end-users with a specific Admin role creating other users and assigning them other specific user roles.
Upvotes: 2
Related Questions
- Is it possible to set storage rules using firestore of Firebase?
- Firebase Storage rule different for a specific folder
- Firebase Security Rules Storage from specific web url
- Security rule to limit storage space used in Firebase Storage?
- How to apply firebase storage rules so only admin can access a folder
- How setting up firebase storage rules for specific users
- How can I setup Firebase Storage rules to check parameters in Firebase Database?
- Firebase Security Rules for Storage
- Firebase Storage Rules
- Can Firebase Storage rules be changed dynamically for authenticated users?