This question already has answers here:
Set Firebase Storeage file size and File number limit
(1 answer)
Limit number of files in a firebase storage path
(1 answer)
Closed 6 months ago.
I created this piece of code as a rule too limit number of items stored there, but I still can add as many new images, as I want.
match /images/logo/{userId}/{imageId} {
allow write: if request.resource.size < 1 * 1024 * 1024
&& request.resource.contentType.matches('image/.*')
&& list(/images/logo/{userId}).size() < 1;
}
It's not possible to limit the number of objects in a Cloud Storage bucket using Firebase security rules. There is no function list() available in security rules.
You're probably better off recording the count of objects in a database and use that in conjunction with a Cloud Functions trigger to determine if an object should be allowed to remain after uploading.
Let the client upload the logo image with the same filename, then there will be only one, even without rules.
Related
This question already has answers here:
Firebase Firestore security rule: Only allow collection group query if filtering by a specific field
(2 answers)
Firestore Security Rules: Passing a request parameter in a get() call?
(1 answer)
Can I send value with request to Firestore rules
(2 answers)
Firebase Firestore - security rule based on "where" query parameters
(1 answer)
Closed last year.
I have the following Firestore query which can be invoked by a non-Firebase user (the sessionId is just a session id - not a Firebase user id):
const q = query(collection(firestore, "apples"), where("sessionId", "==", sessionId));
I am thinking that I need a Firestore rule to prevent access to the whole apples collection. I just want the user to access the documents where the sessionId field matches the sessionId of the requester.
I tried (which does not work):
match /apples/{appleID} {
allow read: if request.resource.data.sessionId == resource.data.sessionId;
}
But if I have understood the reference correctly - request.resource is only available on write requests.
How can I solve this issue?
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 1 year ago.
Improve this question
I have an application that should allow users to upload files totaling 150 GB per user and should prevent users from uploading new files beyond that. How can I add this restriction?
You would have to upload the files through a Cloud function/server and keep track of total size that a user has uploaded:
1. Upload image to your server
2. check the size and add it to total size stored in a database
3. If the user has exceeded 150 GB, return quota exceeded error else upload to Firebase storage
user -> server -> Firebase storage
An easier alternative would be to use Cloud Storage Triggers which will trigger a Cloud function every time a new file is uploaded. You can check the object size using the metadata and keep adding it in database. In this case, you can store total storage used by a user in custom claims in bytes.
exports.updateTotalUsage = functions.storage.object().onFinalize(async (object) => {
// check total storage currently used
// add size of new object to it
// update custom claim "size" (total storage in bytes)
});
Then you can write a security rule that checks sum of size of new object and total storage being used does not exceed 150 GB:
allow write: if request.resource.size + request.auth.token.size < 150 * 1024 * 1024 * 1024;
This question already has answers here:
How to get size of an element/list in Firebase without get it all?
(2 answers)
Closed 2 years ago.
Is there any way in year 2020 to get the number of children of a node in Firebase Database without downloading the entire payload on the client?
I have about 20 000 users in db and I want to get a count of them.
Users
userUID_1
- 300 properties
userUID_2
- 700 properties
.
.
.
I will give you a better idea:
create a new node called UsersCount:
UsersCount
|
|--------------number : "..."
When you save users to Users at the same time update the number in the UsersCount, now when you want to get the users count you don't have to read the whole Users node, instead you just read the UsersCount
I guess that you could implement a function to retrive this count within the server.
This question already has answers here:
Firestore Security Rules - How can I check that a field is/isn't being modified?
(10 answers)
Closed 3 years ago.
I am looking to apply firestore rules to restrict the change (write, update) of a specific field in a document.
From what I understand in the docs you cannot apply rules on read: to document fields as documents need to be read in their entirety, however, it's not stated about writes, updates?
My structure is like the below example;
match /ads/{adDocument} {
//adDocument has a field "price" this needs to only be read not changed/updated.
};
How would I go about implementing this?
You can write a CQRS mediator for all changes, and disallow all write to the documents.
To make a change, the client can add a document to mutate the document on all mutable fields:
/PATCH_ads/{adDocument}:
- itemName: "newItemName"
The mediator should be triggered once a document is added in the PATCH_ads collection. The mediator should reject the change if receiving a command to modify price field, and commit the change if the content of the requested change is valid.
This question already has answers here:
Cloud Firestore: Enforcing Unique User Names
(8 answers)
Closed 3 years ago.
I am currently trying to verify before a user creates data in the database if the data exists. Even unter an other Document id.
Like this: User creates data, firestore rules gets all documents in collection and checks if the property name is the same as from the user provided. If yes, return unauthorized access.
At this point I have:
function checkIfCatExists(){
return get(/databases/$(database)/documents/category/$(documents)).data.name != null;
}
But this does not work. Do you guys have an idea? I could create a function for that but I want to do as much as possible with rules.
There is no way to search a collection for a specific value in security rules, as that operation wouldn't scale.
If you want to ensure unique user names, you'll have to create a collection where you use the user names as the key. You can then use the exists function in your security rules, to check if the name already exists in the collection.
Also see:
Cloud Firestore: Enforcing Unique User Names
Firestore security rule to check if character username already exists
Firestore security rules - can I query for a document with specific fields?
I want to write a rule that will don't allow add same document second time