Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Create group access to firebase storage without using custom authorization

Is there a way to control uploads to a path in Firebase Storage by group? For instance have an admin group that can upload anywhere or a team that can only upload to a certain path.

like image 370
ecalvo Avatar asked Jul 04 '16 15:07

ecalvo


1 Answers

After searching around a bit, I didn't find a ready answer, so I'll post what I have so far. It would be nice to know if there are other (better) ways of doing this.

Since I'm trying NOT to use another server, custom authentication tokens are out. However, the request.auth.uid is available to the storage rules. The uid property matches one of the users defined in the Auth area. You'll need to create a function in the storage rules that checks if request.auth.uid is in a group you define.

Firebase storage rules have a unique syntax. It sorta looks like javascript, but it's not. You can define functions, but you can't declare a var within them. Furthermore there is a subset of javascript-like methods available.

For instance, I first unsuccessfully tried the following:

function isAdmin() {
  return ["value","list"].indexOf(request.auth.uid) > -1;
}

service firebase.storage {...}

Either the rules editor threw errors when I tried to define a var OR it always returned "unauthorized" when I used .indexOf.

The following ended up working for me.

function isAdmin() {
  return request.auth.uid in {
    "yaddayadddayaddUserIDKey":"User Name1"
  };
}
function isSomeOtherGroup() {
  return request.auth.uid in {
    "yaddayaddaSomeOtherUID":"User Name2",
    "YaddBlahBlahUID":"User Name3"
  };
}

service firebase.storage {
  match /b/<your bucket here>/o {
    match /{allPaths=**} {
      allow read, write: if isAdmin();
    }
    match /path/{allPaths=**} {
        allow read, write: if isSomeOtherGroup() || isAdmin();
    }
  }
}
like image 158
ecalvo Avatar answered Oct 30 '22 01:10

ecalvo