Firebase Storage security rules - read condition not working - firebase

Regardless what I put in the read condition, I able to read the files
For example:
service firebase.storage {
match <firebase-storage-url> {
match /{userId}/{allPaths=**}{
allow read: if '1'== '2';
allow write: if true
}
}
}
Although 1 not equal 2 I able to read firebase storage files. How it can happens?

Related

Firebase storage rules for writing at specific path not considered

I have a very simple Firebase Storage structure:
> check-in-station-content
> reports
These are two folders and I am trying to set up a restriction on the check-in-station-content to accept only video/mp4 files, not bigger than 30MB and to be uploaded only by authenticated parties. So, my rules looks like this:
rules_version = '2';
service firebase.storage {
match /b/{bucket}/o {
match /{allPaths=**} {
allow read: if request.auth != null;
}
match /check-in-station-content {
// Allow write files, subject to the constraints:
// 1) File is less than 30MB
// 2) Content type is video/mp4
match /{videoId} {
allow write: if request.auth != null && request.resource.size < 30 * 1024 * 1024 && request.resource.contentType.matches('video/mp4')
}
}
}
}
Then, when I go to the UI for the storage and click the Upload button, nothing is stopping me of uploading whatever file having whatever size
When you use the Firebase console, you actually bypass all the security rules, since you are interacting with Cloud Firestore as the owner of the project (or another role with similar access, e.g. Editor). The rules apply only when you are using one of the Client SDKs or the other Client APIs.
By the way, note that your rule matches the check-in-station-background-content path and no the check-in-station-content one.

How to set Firebase rules that allow authenticated users to only read and write their own data?

My database structure is:
users
david#gmail.com
records
ApK2DFpG87NDGYutgAVO
pulse: 80
Bryd87NAS20dfDGYtghg
pulse: 78
eva#fb.com
records
A81hxASDKH38dhaj9321
pulse: 93
A82ndasklih38ASD2eda
pulse: 67
and rules are:
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /users/{email} {
allow create, read, update, delete: if request.auth.token.email == email;
}
}
}
I would like every user (e.g. foo#gmail.com) to be able to read and write data only under that user (users/foo#gmail.com/**).
When I read users/me#gmail.com in the Rules playground (while being authenticated as me#gmail.com), I get "Simulated read allowed", as expected.
However, when I read users/me#gmail.com/records from my app (while being authenticated as me#gmail.com), I get:
FirebaseError: Missing or insufficient permissions.
What am I missing?
By the way, why the Rules playground doesn't allow reading collections (e.g. users/me#gmail.com/records)? It says:
Path must be document-level
You should take advantage of the recursive wildcards of version 2 of the security rules, as follows:
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /users/{email}/{document=**} {
allow create, read, update, delete: if request.auth.token.email == email;
}
}
}
As explained in the doc, it will match documents in any subcollections of the users collection as well as documents in the users collection.
By the way, why the Rules playground doesn't allow reading collections
If I am not mistaking, this is because rules are not filters, and therefore you need to exactly specify the document you want to target in the "Rules Playground".

Firebase Security Rules to allow read

I am learning about Firebase Database and am trying to set up security rules. To start, I am creating very permissive rules with something like this:
rules_version = '2';
service cloud.firestore {
match /databases/{database}/users/{user_id} {
allow read, write: if true;
}
}
I found the Rules Playground tool in the Firebase Console and attempt to get a document:
But when I click Run, I get "Simulated read denied".
What am I missing? Why doesn't my rule allow the read? What do I need to change to allow reads and writes?
Your rules are just incorrect. It look like you edited down the path too far. Your outer match should always be "/databases/{database}/documents". The whole thing should look like this if you want to allow full access to the users collection:
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /users/{user_id} {
allow read, write: if true;
}
}
}

-Firebase- Don't understand the rules

After watching movie and read i really don't understand what i want to do.
I'm explain, i have a website, he read information in my database realtime and printed on my website ...
And i got a system for vote, visitor can coming and click on button for send a vote and i sended directly on my server database.
My problem is actually write/read is true and all word but if i pass anyone on false one of two don't work.
But what need to do for nobody can modifi or delete my data ??
The rules is clear i can for who i want (admin,guest,anonymous..) what i want. But is not my problem, i don't understand what i want to do :/
Thanks a lot !
From what you have explained in your comment I think you want to make the firebase rules read-only?
If this is true the following code will accomplish that:
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read: if true;
allow write: if false;
}
}
}
Otherwise, you could allow writing tp database only if a user is authenticated (signed in):
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /{document=**} {
allow read: if true;
allow write: if request.auth.uid != null;
}
}
}
more information on firestore rules can be found here: https://firebase.google.com/docs/firestore/security/overview?authuser=0

Writing Database rules for Firebare cloud storage

So I'm writing rules for my database in firebase. And I'm trying to allow a person to delete his own post only. But when I'm testing it anybody can delete anyone's post.
I have tried writing if request.auth.uid==resource.data.User.uid but it doesn't work
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /posts/{postId}{
allow delete: if request.auth.uid==resource.data.User.uid
allow read;
allow write,update: if request.auth.uid!=null;
}
}
}
I tried simplifying it further by changing it to
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /posts/{postId}{
allow delete: if request.auth.uid==1
allow read;
allow write,update: if request.auth.uid!=null;
}
}
}
But still anyone can delete anybody's post. And obviously no one has uid as 1.
Here is my post collection
Content "Hello"
Title "Hey"
User
displayName "Vikram Singh Bedi"
email "vikrambedi_bt2k16#dtu.ac.in"
uid "dCQvboYvffQ1kOqkMqgs2txNKvo1"
comments 0
createdAt 8 September 2019 at 14:10:31 UTC+5:30
favorites 0
I want only the person who created the post to be able to delete it.
Here is the code to delete a post
<button
className="delete"
onClick={() => {
firestore.doc(`posts/${id}`).delete();
}}
>
How do you send a delete request?
For example if you are using Admin SDK to delete, then Admin SDK will bypass the rules.
When you grant permission for a write operation, that grants permissions to all of create, update and delete operations.
You're combining a granular write rule with non-granular delete and update rules, which I suspect means the non-granular write rule wins out (since they're just OR'ed together).
If that is the case, use only non-granular write rules:
allow delete: if request.auth.uid==resource.data.User.uid
allow read;
allow create,update: if request.auth.uid!=null;

Resources