Reputation: 129
Firebase Storage read security rules don't seem to be having any effect
I'm working to set my security rules for my Firebase Storage and the read rules do not seem to be having any effect whatsoever.
rules_version = '2';
service firebase.storage {
match /b/{bucket}/o {
match /{allPaths=**} {
allow read, write: if request.auth != null;
}
}
}
I can take any imgURL that I have stored and paste it into my browser, and it pulls the image right up. I logged out of the firebase account and also out of Xcode thinking that maybe
Even if I remove the 'read' from the code above and only specify the write permission, it still allows a read if I paste an URL from one of the files into my browser.
It's like my folder is set to an open read or something.
Upvotes: 2
Views: 670
Answers (1)
Reputation: 598847
If the imgURL you are talking about is a so-called download URL, then this is the expected behavior. Firebase's download URLs provide public, read-only access to the file, bypassing the security rules.
If you want to only allow secured access to the data, you should not generate a download URL and only access the file through the other SDK download methods.
Upvotes: 3
Related Questions
- Firebase Storage security rules playground "Simulated read denied"
- Firebase Storage Rules strange behavior
- Firestore Security Rule denying read/write on firebase-storage
- Firebase Storage Rules - access granted doesn't match rules
- Firebase storage rules "unauthorized"
- Firebase Storage security rule error- User does not have permission
- Firebase storage security rules not working
- Firebase private rule not working for storage
- Firebase Storage security read rule ignored
- Firebase rules - read and write does not work the same