firebasefirebase-realtime-databasefirebase-storagefirebase-security

Firebase Storage security rules: get() to Realtime Database dont work


I’m trying to create a Firebase Storage rule that only allows access to files under /approved/ if the user has a permission: true field in the Realtime Database, located at this path:

/Users/{uid}/permission

Here’s the rule I’m trying:

service firebase.storage {
  match /b/{bucket}/o {
    match /approved/{fileId} {
      allow read, write: if isApprovedUser();
    }
  }
}

function isApprovedUser() {
  return request.auth != null &&
         get(/databases/(default)/data/Users/$(request.auth.uid)/permission).val() == true;
}

In the Firebase Console simulator, I test it with a valid user ID (dzS1gm71rhgTM4NYdZQ81MuceTp2), and that path definitely exists in the Realtime Database this is the RTDB

The isApprovedUser function doesn't work, and I tried many things, but at the end, none of them work, and I can't figure out what's the problem. I even tried to remove the .val(), and it doesn't work.

What I’ve tried:

•   Double-checked that the path is correct
•   Ensured the user is authenticated
•   Checked the Realtime Database rules (they currently allow read access for authenticated users)
•   Tried changing the path casing, checked for typos

Solution

  • While Firebase Storage security rules can read from Cloud Firestore, they cannot read from the Realtime Database. So what you're trying to do is not a supported feature.

    Also see my answer here: Creating Firebase Storage Security Rules Based on Firebase Database Conditions

    It might make a good feature request to add to firebase.uservoice.com, although I admit that I'm skeptical if that'll ever get prioritized.