I'm getting the URL with getDownloadURL after i put the url inside a img tag but i get this error
the rules of the storage are these:
service firebase.storage {
match /b/{bucket}/o {
match /{allPaths=**} {
allow read, write: if request.auth != null;
}
}
}
So everybody should be able to read, so i can't understand :(
somebody can help?
This may be due to a missing permission. You need to check whether you have
firebase-storage#system.gserviceaccount.com
as a member with a "Storage Admin" role. If you don't have one, then add it. That would fix the issue.
Here are the steps on how you can check and add permissions.
Go to Cloud console
Navigate to Storage
Select your bucket then click show info panel.
You can also add the missing permission in the IAM & Admin if you want.
If it is not the problem then you are getting the error due to the some problem in the code, you may want to check it once more.
Related
I am developing an application, which uses Firestore as a database. I have a collection of admins, where the id of the documents is the email address of the admin. I want to create a security rule, which enables only admins to create new documents. My current solution looks like this:
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /{collectionName}/{document=**} {
allow create: if exists(/databases/$(database)/documents/admins/$(request.auth.email));
}
}
}
But when I try to run the admin app, it gives a missing or insufficient permissions error. Furthermore, when I try to test it in the rules playground, it gives the following error:
Error running simulation — Error: simulator.rules line [6], column [24]. Function not found error: Name: [exists].; Error: Invalid argument provided to call. Function: [exists], Argument: ["||invalid_argument||"]
As far as I understand, somehow the exists function is missing and the document id is invalid, but why? It's just a string, isn't it?
If you are trying to get the email associated with the auth request, you have to do it like this:
$(request.auth.token.email).
You can see details on the structure of the Request.auth object here.
There is no option to make a user Admin and give special privileges in realtime database I think it goes the same to the FireStore.
But what you can do is add a field in the user like userType and give it the value Admin whenever an admin Signs up, subsequently you can create rules based on that.
Firesbase Storage security rules allow update not working, can't prevent file over-write.
Example rule:
match /test/{userId}/{imageId} {
allow create: if request.auth.uid == userId;
allow update: if false;
}
Here I'm allowing authenticated users to only 'create' file, but not update/over-write.
Expected behavior: It shouldn't be allowed to update/over-write the existing file.
Actual behavior: When I'm again uploading a different file, but with same file name {over-writing the existing file}, then it's allowed to update/over-write.
How to prevent file update?
I tried to create the same structure as yours in Firebase Storage and turns out the rules are working for me.
I doubt if your structure is something like /test/{userId}/images/{imageId} which makes more sense if you are storing user generated content.
If the above if the case, then please update the rule to: /test/{userId}/images/{imageId}
If the issue still persists please share a screenshot of your Firebase Storage Directory structure.
I've appended the following line to my storage rules following the docs:
rules_version = '2';
Furthermore, my rules are now:
rules_version = '2';
service firebase.storage {
match /b/{bucket}/o {
match /{allPaths=**} {
allow read, write: if request.auth != null;
}
}
}
Moreover, I am able to list out the files of a folder using listAll which is an exclusively version 2 feature.
However, each day I come back to my dashboard to find my rules updated to the previous version, being:
service firebase.storage {
match /b/{bucket}/o {
match /{allPaths=**} {
allow read, write: if request.auth != null;
}
}
}
How and why does this happen? More importantly, how may I fix the issue?
With the help from Jonathan from Firebase who was kind enough to remind me of the fact that I am deploying almost on a daily basis I figured out what was going wrong. It turned out that as part of my continuous deployment I was also deploying Firebase storage rules, hence I was indirectly the one overriding my own rules.
Now the obvious and easy solution is to just update the storage.rules file locally.
There are only three ways your rules can change:
Using the Firebase console
Using the Firebase CLI to deploy rules from a local file
Use the Firebase Admin SDK.
If your rules are changing and you are absolutely certain that it's not coming from one of these two methods, contact Firebase support for assistance.
I started out with an issue simply displaying storage contents. The error message was the same Code 400 "Permission denied. Could not access bucket bucket. Please enable Firebase Storage for your bucket by visiting the Storage tab in the Firebase Console and ensure that you have sufficient permission to properly provision resources."
But the changes I made based on This stackoverflow question made the issue worse, now my upload form is giving the same error now and blocks file uploads, even after rolling back all the changes. I tried creating a brand new project on Firebase, but that has the same error.
I also tried to set my bucket permissions to
service firebase.storage {
match /b/{bucket}/o {
match /{allPaths=**} {
allow read;
allow write;
}
}
}
since I thought that it could be a rights issue, but I get the same error.
I'm not sure what I was trying to do when I added this bit of code, but I had added
{ provide: StorageBucket, useValue: 'bucket' }
To my providers: on my app.module. I think it was a place holder for something and I forgot to remove it before committing the project.
This led me down and interesting troubleshooting path that finally led me to doing breakpoints and console logs until I found the issue.
const task = this.storage.upload(filePath, file);
I did a console log of task, which gave me a location, that's where I found
bucket: bucket
I then added the same console.log to a working project that showed
bucket: whatever.appspot.com
and I knew I made a mistake somewhere. I just happened across the entry in the app.module.ts file while trying to recreate the issue in stackblitz. The error is resolved.
When I open my Firebase Storage bucket and go to files I have the following folder structure:
/<environment>/reports/<userId>/
I want that only the authenticated userId is allowed to read, write the reports in that user folder.
I tried the following, but it gives me the message that access is denied. What am I doing wrong? I copied almost one-to-one the example from the docs.
// Grants a user access to a node matching their user ID
service firebase.storage {
match /b/{bucket}/o {
// Files look like: "<ENVIRONMENT>/reports/<UID>/path/to/file.txt"
match /production/reports/{userId}/{allPaths=**} {
allow read, write: if request.auth.uid == userId;
}
}
}
You can use the rules simulator in the Firebase Storage Console to test your rules. I've tested yours and they seem to be working OK:
You'll need to remember to specify a final node name such as /production/reports/{userId}/test in order for the rule to work, as it will match the storage bucket filename rather than the parent directory due to /{allPaths=**}.