I started out with an issue simply displaying storage contents. The error message was the same Code 400 "Permission denied. Could not access bucket bucket. Please enable Firebase Storage for your bucket by visiting the Storage tab in the Firebase Console and ensure that you have sufficient permission to properly provision resources."
But the changes I made based on This stackoverflow question made the issue worse, now my upload form is giving the same error now and blocks file uploads, even after rolling back all the changes. I tried creating a brand new project on Firebase, but that has the same error.
I also tried to set my bucket permissions to
service firebase.storage {
match /b/{bucket}/o {
match /{allPaths=**} {
allow read;
allow write;
}
}
}
since I thought that it could be a rights issue, but I get the same error.
I'm not sure what I was trying to do when I added this bit of code, but I had added
{ provide: StorageBucket, useValue: 'bucket' }
To my providers: on my app.module. I think it was a place holder for something and I forgot to remove it before committing the project.
This led me down and interesting troubleshooting path that finally led me to doing breakpoints and console logs until I found the issue.
const task = this.storage.upload(filePath, file);
I did a console log of task, which gave me a location, that's where I found
bucket: bucket
I then added the same console.log to a working project that showed
bucket: whatever.appspot.com
and I knew I made a mistake somewhere. I just happened across the entry in the app.module.ts file while trying to recreate the issue in stackblitz. The error is resolved.
Related
I'm trying to trigger my function on specific path in storage bucket using:
exports.generateThumbnail = functions.storage.bucket("users").object().onChange(event => {});
When I try to deploy it, console shows:
functions[generateThumbnail]: Deploy Error: Insufficient permissions to (re)configure a trigger (permission denied for bucket users). Please, give owner permissions to the editor role of the bucket and try again.
How can I do that? Do I nedd to setup IAM or bucket permission or maybe something else?
Looks like the issue is that you're trying to reference a bucket named "users" rather than filtering on an object prefix.
What you want is:
exports.generateThumbnail = functions.storage.object().onChange(event => {
if (object.name.match(/users\//)) {
// do whatever you want in the filtered expression!
}
});
Eventually we want to make prefix filtering available so you can do object("users"), but currently you have to filter in your function like above.
Firesbase Storage security rules allow update not working, can't prevent file over-write.
Example rule:
match /test/{userId}/{imageId} {
allow create: if request.auth.uid == userId;
allow update: if false;
}
Here I'm allowing authenticated users to only 'create' file, but not update/over-write.
Expected behavior: It shouldn't be allowed to update/over-write the existing file.
Actual behavior: When I'm again uploading a different file, but with same file name {over-writing the existing file}, then it's allowed to update/over-write.
How to prevent file update?
I tried to create the same structure as yours in Firebase Storage and turns out the rules are working for me.
I doubt if your structure is something like /test/{userId}/images/{imageId} which makes more sense if you are storing user generated content.
If the above if the case, then please update the rule to: /test/{userId}/images/{imageId}
If the issue still persists please share a screenshot of your Firebase Storage Directory structure.
I'm getting the URL with getDownloadURL after i put the url inside a img tag but i get this error
the rules of the storage are these:
service firebase.storage {
match /b/{bucket}/o {
match /{allPaths=**} {
allow read, write: if request.auth != null;
}
}
}
So everybody should be able to read, so i can't understand :(
somebody can help?
This may be due to a missing permission. You need to check whether you have
firebase-storage#system.gserviceaccount.com
as a member with a "Storage Admin" role. If you don't have one, then add it. That would fix the issue.
Here are the steps on how you can check and add permissions.
Go to Cloud console
Navigate to Storage
Select your bucket then click show info panel.
You can also add the missing permission in the IAM & Admin if you want.
If it is not the problem then you are getting the error due to the some problem in the code, you may want to check it once more.
I'm sure I'm missing something wrt Firebase Storage rules, but I've done the following:
STEP 1
Firstly I set the following Firebase Storage rule:
service firebase.storage {
match /b/{bucket}/o {
match /items/{dev_key}/{perm_id}/{file_name} {
allow write: if request.auth.uid == dev_id;
allow read: if request.auth.token.permId == perm_id;
}
}
}
I expected only signed in users with a custom claim permId matching the relevant location to be able to download the file, allow read: if request.auth.token.permId == perm_id;.
So, I then set a custom claim in Cloud Functions on a user as follows:
STEP 2
admin.auth().setCustomUserClaims(uid, {permId: '1'}).then(() => {
// send off some triggers to let user know the download is coming
admin.database().ref(`collection/${uid}/${itemId}`).update({
downloadReady: true
});
});
Then I signed the user out and signed back in again... which set the custom claims.
I checked that they were set in Cloud Functions as follows:
STEP 3
admin.auth().verifyIdToken(idToken).then((claims) => {
console.log("--------------claims -------------");
console.log(JSON.stringify(claims));
});
And I saw in the claims string... permID: "1"
On the client side I then requested a downloadURL (here is hopefully where I'm going wrong)... I expected this to not be the public download url but rather the download url that the Firebase Storage security rules will check:
STEP 4
var pathReference = storage.ref('items/<some-key>/1/Item-1');
pathReference.getDownloadURL()
.then((url)=>{
console.log("url: ", url);
})
The url I received from this call gave me this link
https://firebasestorage.googleapis.com/v0/b/emiru84-games.appspot.com/o/games%2FcfaoVuEdJqOWDi9oeaLLphXl0E82%2F1%2FGame-1?alt=media&token=45653143-924a-4a7e-b51d-00774d8986a0
(a tiny little image I use for testing)
So far so good, the user with the correct claim was able to view this image
I then repeated step 2, logout/login again, except this time with a permId of "0". I expected the url generated previously to no longer work since my user no longer had the correct custom claim... and the bucket location was still at the same location (bucket/dev_key/1/filename) but it still worked.
If I repeated step 4 I got a new url, which then gave the appropriate 403 error response. However the old url still worked (I guess as long as the token parameter is tacked on). Is this expected, if so, I'm not sure I understand how the Storage security rules make a difference if the download url is public anyway?
Any help clearing my foggy brain would be appreciated.
The download URL in Cloud Storage for Firebase is always publicly readable. It is not affected by security rules.
If you don't want to allow public access to a file, you can revoke its download URL.
I have this DB structure in Firebase:
[bets]
-KTd9VKWJwHd_L6j_oAF
date
team1
etc
-KTdCc7uVmueNtcYzU1m
date
team1
etc
[users]
I'm now trying to write Firebase rules to allow users to only read bets assigned to them. But I ran into problems right away. I have these very basic rules:
{
"rules": {
"bets": {
"$bet": {
".read": true,
".write": true
}
}
}
}
When I try to visit /bets (where I display a list of bets) I get thrown the error:
Error: permission_denied at /bets: Client doesn't have permission to access the desired data.
If I instead place the .read and .write under bets instead of $bet, it works fine. What am I missing?
Firebase evaluates read permission at the location where you attach a listener. You attach a listener to /bets, so it rejects the listener since you don't have read permission on /bets.
If you have read permission to /bets, you also can read everything under it. So this means that you can't use Firebase Database security rules to filter data.
See the section rules are not filters in the Firebase documentation. Or search for Firebase questions mentioning "rules are not filters" here and you'll see this is a common pitfall for developers.