Firebase Storage – Can't delete with size requirement

Question

I would like to allow users to only upload documents to their own bucket in storage with a maximum file size of 1MB, and still let them delete the files. I have added the following, which:

match /myusers/{userId}/{allPaths=**} {
  allow write: if request.auth.uid == userId && request.resource.size < 1 * 1024 * 1024;
  allow read: if request.auth.uid == userId;
}

I am testing both in the simulator and live in my project. This doesn't let me delete the document (access denied). If I remove && request.resource.size < 1 * 1024 * 1024; from the rule above, the the document can be deleted (but then won't prevent upload of files greater than 1MB.

I thought maybe it was rejecting it because request.resource is null, so I tried the following:

match /myusers/{userId}/{allPaths=**} {
  allow write: if request.auth.uid == userId && (request.resource.size < 1 * 1024 * 1024 || request.resource == null);
  allow read: if request.auth.uid == userId;
}

Still, deleting fails with the following error (in the simulator):

Error: simulator.rules line [5], column [16]. Property resource is undefined on object.

I have looked at all of these solutions and modified the rule as many ways as I can think of, to no avail:

• Firebase Storage Allow Deleting Files

• Firestore Rules Simulator - Resource undefined

• Firebase Storage Post rules apply to Delete rules

• Firebase Cloud Storage security rule for deleting

Does anyone know how to set a max size for the file allowed but still allow for deleting?

Answer 1

Figured it out! Here's what works both in production and in the simulator :)

match /myusers/{userId}/{allPaths=**} {
  allow write: if request.auth.uid == userId && 
                  (request.resource.size < 1 * 1024 * 1024 || request.method == 'delete');
  allow read: if request.auth.uid == userId;
}

p.s. @Doug Stevenson, if you're able to submit a note internally, I imagine that it would be very helpful for others if request.method examples with delete, update, get, and/or create could be added to the documentation!

EDIT:

Also, this works in both the simulator and production (and is a bit more readable than the first option, in my opinion). Thanks to @Doug Stevenson on the tip!

match /myusers/{userId}/{allPaths=**} {
  allow write: if request.auth.uid == userId && request.resource.size < 1 * 1024 * 1024;
  allow delete: if request.auth.uid == userId 
  allow read: if request.auth.uid == userId;
}

Answer 2

As far as I can see, this is just a bug in the console simulator. I wrote actual (Android) app code against these rules, and I was able to create and delete the content with no problems. The problem is that the simulator doesn't understand how to interpret request.resource == null, and just fails the whole thing as a result.

I'll file a bug report internally for this, but you should always check against your rules against the actual product if something doesn't make sense, as it's difficult to keep the simulator fully in sync.