I'm storing images under uid/PropertyPhotos/Property# (where # is incremented as images are uploaded). The uid belongs to the user that posted the image, not the current logged on Firebase user. What I'd like is to allow anyone to view those images. How do I modify the storage rule below to allow that?
service firebase.storage {
match /b/{bucket}/o {
match /{allPaths=**} {
allow read, write: if request.auth != null;
}
// we want anyone to view the property images (no auth, publicy readable)
match /{uid}/PropertyPhotos {
allow read;
}
}
}
Related
Now that firebase has forced using rules scrambling to find the right solution here.
I have all images in the main bucket and every user once logged in has something like
bucket
users/{uid}/uploads
where all there uploaded photos go (would be cool to restrict to images at some point)
these should be public read and write, if write can be only for the authenticated user even better, but auth to read is necessary.
there is a special folder before a user is authenticated and need upload a profile pic
users/uploads
which should be read write to the public here is what i have but the second rule takes precedence
service firebase.storage {
match /b/{bucket}/o {
match /users {
match /uploads {
match /object {
allow read, write
}
}
}
match /{allPaths=**} {
allow read, write: if request.auth != null
}
}
}
I'm thinking it probably needs to be a not /users/uploads forthen then do do this but the documentation is bad for if else statements. any thoughts?
EDIT: this rule set works for reading correctly but still can't write when unauthenticated during sign up
service firebase.storage {
match /b/{bucket}/o {
// Allow only authenticated users to upload
// Any user can read
match /users/uploads {
allow read, write;
}
// Only allow user with auth.uid == uid to read/write
match /users/{uid}/uploads {
allow read: if true;
allow write: if request.auth.uid == uid;
}
}
}
You can try the following rules that'll restrict access to user's own directory and also have a public folder:
rules_version="2";
service firebase.storage {
match /b/{bucket}/o {
// Allow only authenticated users to upload
// Any user can read
match /users/uploads {
allow read: if true;
allow write: if request.auth != null;
}
// Only allow user with auth.uid == uid to read/write
match /users/{uid}/uploads {
allow read: if true;
allow write: if request.auth.uid == uid;
}
}
}
Do note that if request.auth != null; allows everyone write (including delete) so try using allow create: only.
I am using Firebase for Auth and image storage--images that are publically available thoughout my app, like profile pictures. How do I set up the permissions appropriately so that any user (or even non-authenticated entities) can read these public images?
My security rules:
rules_version = '2';
service firebase.storage {
match /b/{bucket}/o {
match /{allPaths=**} {
allow read, write: if request.auth != null;
}
}
}
In your question, you say that you want non-authenticated entities to see the images, but your rules are set up to only allow authenticated entities to see them. You can change your rules to:
service firebase.storage {
match /b/{bucket}/o {
match /{allPaths=**} {
allow read;
allow write: if request.auth != null;
}
}
}
I use a collection called "admin" in Firestore to define which users can write new documents (image below).
At moment, it is controled just by software. I would like to add rules to Firestore. I tried the rule below but it didn't work. What would be the correct rules in that case ?
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read: if request.auth != null;
allow write: if get(/admin/{anyDocument}).data.userId == request.auth.uid;
}
}
}
I'd recommend instead having a users collection with an admin field that can be set to true/false. Then you can do something like:
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read: if request.auth != null;
allow write: if get(/users/${request.auth.uid}).data.admin == true;
}
}
}
As far i know this is not possible with your current database structure. Because the push key is not accessible in firestore rules unless it is with in the admin node.
One way is to save the admin with their uid as key like admin/userID/data...
now you can access it
allow write: if get(/databases/$(database)/documents/admin/$(request.auth.uid)).data.userId == request.auth.uid;;
I have some articles.
Each article has a reference field to the profile document of the author who wrote that particular article.
Auth'd users (using Firebase's Auth) will be associated with these profiles.
How do I make these articles editable by the currently logged in user only if that user owns the article?
In Firestore's documentation, there is a recurring example:
service cloud.firestore {
match /databases/{database}/documents {
// Allows you to edit the current user document (like a user's profile).
match /users/{userId} {
allow read, write: if request.auth.uid == userId;
}
// Allows you to read/write messages as long as you're logged in (doesn't matter who you're logged in as, so theoretically you could change other peoples' messages 👌).
match /rooms/{roomId} {
match /messages/{messageId} {
allow read, write: if request.auth != null;
}
}
}
}
Where is the example for how to structure and edit a document owned by a certain user?
Assuming you have a document with e.g. owner: <uid> stored in it, you can do:
service cloud.firestore {
match /databases/{database}/documents {
match /somecollection/{id} {
allow write: if resource.data.owner == request.auth.uid;
}
}
}
I have a firebase storage download url, like
https://firebasestorage.googleapis.com/v0/b/siren-5eee7.appspot.com/o/profile%2FC6jNlR0F4cZBPv7wF0REWUNVor33?alt=media&token=63a9130e-2ba6-4f38-ac3f-2231c54a1043
How can I access this url without token parameter?
For example, If I access above url without token there will be 403 error showing permisson denied.
My firebase storage secure rule is below :
service firebase.storage {
match /b/{bucket}/o {
match /{allPaths=**} {
allow read, write: if request.auth != null;
}
}
}
This file located in /etc file. How can I do it?
Try changing rule:
service firebase.storage {
match /b/{bucket}/o {
match /{allPaths=**} {
allow read;
allow write: if request.auth != null;
}
}
}
In case you need the rule to allow accessing only the images without a token you have to do the following:
service firebase.storage {
match /b/{bucket}/o {
match /{allPaths=**} {
allow read: if request.auth!=null || resource.contentType.matches('image/.*');
allow write: if request.auth!=null;
}
}
}
From what I understand, you're trying to make the whole bucket publicly available. Using Firebase access rules might not be best, you might want to make the bucket read access available via Google Cloud's Storage layer.
To do that, one of the easiest way is using the Google Cloud Console Storage.
Select the bucket, click the bucket to configure and open the permissions tab.
Since this is Firebase managed bucket, it would have what Google called fine-grained access control. Don't worry, adding public access is quite simple.
Click Add members button, then, on the sidebar, add in allUser as new member, and give it the role of Storage > Storage Object Viewer. You can see more detail in the Storage Docs.
This will make the bucket publicly viewable via <bucketname>.storage.googleapis.com.
If you created extra bucket in Firebase that match a domain you own and verified in Google Search Console, you can create a bucket of named after your custom domain and have it publicly accessible using a CNAME of the custom domain that points to c.storage.googleapis.com. You can see more detail at Storage Endpoints Docs, Google Cloud's docs explain it much better than I can. Hope this helps!
If you need to access to certain url (image) without token parameter use the rule below:
rules_version = '2';
service firebase.storage {
match /b/{bucket}/o {
match /images/users/default.png {
allow read;
}
match /{allPaths=**} {
allow read, write: if request.auth != null;
}
}
}
If you need to access to certain folder without token parameter use the rule below:
rules_version = '2';
service firebase.storage {
match /b/{bucket}/o {
match /images/{wildcardpath=**} {
allow read;
}
match /{allPaths=**} {
allow read, write: if request.auth != null;
}
}
}
Note: Change the url or folder to yours