I’m trying to create a Firebase Storage rule that only allows access to files under /approved/ if the user has a permission: true field in the Realtime Database, located at this path:
/Users/{uid}/permission
Here’s the rule I’m trying:
service firebase.storage {
match /b/{bucket}/o {
match /approved/{fileId} {
allow read, write: if isApprovedUser();
}
}
}
function isApprovedUser() {
return request.auth != null &&
get(/databases/(default)/data/Users/$(request.auth.uid)/permission).val() == true;
}
In the Firebase Console simulator, I test it with a valid user ID (dzS1gm71rhgTM4NYdZQ81MuceTp2), and that path definitely exists in the Realtime Database this is the RTDB
The isApprovedUser function doesn't work, and I tried many things, but at the end, none of them work, and I can't figure out what's the problem. I even tried to remove the .val(), and it doesn't work.
What I’ve tried:
• Double-checked that the path is correct
• Ensured the user is authenticated
• Checked the Realtime Database rules (they currently allow read access for authenticated users)
• Tried changing the path casing, checked for typos
While Firebase Storage security rules can read from Cloud Firestore, they cannot read from the Realtime Database. So what you're trying to do is not a supported feature.
Also see my answer here: Creating Firebase Storage Security Rules Based on Firebase Database Conditions
It might make a good feature request to add to firebase.uservoice.com, although I admit that I'm skeptical if that'll ever get prioritized.