In Firebase storage, can I use db "get" rules?

Question

I'm trying to secure my Firebase (google cloud storage) files based on user data. In firestore, I use a rule based on getting database content (look up the uid in users table and match a field) and that's working fine. I'm trying to use the same kind of rules in firebase storage but in the simulator I get Error: simulator.rules line [12], column [17]. Function not found error: Name: [get].; Error: Invalid argument provided to call. Function: [get], Argument: ["||invalid_argument||"]. My rules look like this:

  match /b/{bucket}/o {
    function isAuth() {
      return request.auth != null && request.auth.uid != null
    }
    function isAdmin() {
      return isAuth() &&
      "admin" in get(/databases/$(database)/documents/users/$(request.auth.uid)).data.roles;
    }
    function clientMatch(client) { // expects user's "client" field to be ID of client
      return isAuth() &&
      client == get(/databases/$(database)/documents/users/$(request.auth.uid)).data.client;
    }
    match /P/Clients/{client}/{allPaths=**} {
      allow read, write: if isAdmin() || clientMatch(client);
    }
  }
}

Line 12 is the one beginning client == get, in clientMatch(). I haven't been able to tell whether these functions are only supported for Firestore (db) rules, or whether they should work for storage as well.

If this doesn't work, what are my options? How do people look up user data for Firebase storage security?

Answer 1

You currently can't reference Firestore documents in Storage rules. If you would like to see that as a feature of Storage rules, please file a feature request.

Consider instead using a Cloud Functions storage trigger to perform some additional checks after the file is uploaded, and remove the file if you find that it's not valid.