hevon
hevon3y ago

Firebase Storage rules

Hello, would you know why I have to update all my rules when connecting to my Firestore DB? to add Rowy as an admin makes sense but for example as we are doing other tests, read/write is authorized by all -> is it possible to bypass that?
No description
5 Replies
seenee
seenee3y ago
Hi, these are the default Firebase Storage rules we suggest, so that people can upload files in any table by default, for simplicity. The default Firestore rules we set and suggest don't allow read/write for all users for all collections
hevon
hevon3y ago
understood, but do you suggest or enforce? if enforce than it means I have to update my app setup @seenee ?
seenee
seenee3y ago
It looks like the setup process only the rule allow read, write: if request.auth.token.roles.size() > 0; to be set for any path, not all files. So you could set it to match a fake/unused path to bypass that when setting up. Otherwise, we don't check or require that those rules are set to use Rowy. But if you don't allow your users to at least write to a Storage path, they won't be able to upload files from Rowy
hevon
hevon3y ago
could you give me an example on how I could have both rules? btw this apply to Firestore AND Storage as we don't use Firebase Auth to authenticate. We basically need to keep the rule below for now: match /{document=**} { allow read, write: if true; }
seenee
seenee3y ago
You can do 
    /{document=**} {
      allow read, write: if true;
      allow read, write: if request.auth.token.roles.size() > 0;
    }
    /{document=**} {
      allow read, write: if true;
      allow read, write: if request.auth.token.roles.size() > 0;
    }