Search code examples
firebasegoogle-cloud-platformgoogle-cloud-storagefirebase-storagefirebase-security

Firebase storage rules for writing at specific path not considered

I have a very simple Firebase Storage structure:

> check-in-station-content
> reports

These are two folders and I am trying to set up a restriction on the check-in-station-content to accept only video/mp4 files, not bigger than 30MB and to be uploaded only by authenticated parties. So, my rules looks like this:

rules_version = '2';
service firebase.storage {
  match /b/{bucket}/o {
    match /{allPaths=**} {
      allow read: if request.auth != null;
    }

    match /check-in-station-content {
      // Allow write files, subject to the constraints:
      // 1) File is less than 30MB
      // 2) Content type is video/mp4
      match /{videoId} {
        allow write: if request.auth != null && request.resource.size < 30 * 1024 * 1024 && request.resource.contentType.matches('video/mp4')
      }
    }
  }
}

Then, when I go to the UI for the storage and click the Upload button, nothing is stopping me of uploading whatever file having whatever size

enter image description here

Solution

  • When you use the Firebase console, you actually bypass all the security rules, since you are interacting with Cloud Firestore as the owner of the project (or another role with similar access, e.g. Editor). The rules apply only when you are using one of the Client SDKs or the other Client APIs.

    By the way, note that your rule matches the check-in-station-background-content path and no the check-in-station-content one.