I have an image link that I want to protect for only authorize users but the issue whenever I try to get the link I can see the picture, even if I specify the rule for it ?
rules_version = '2';
service firebase.storage {
match /b/{bucket}/o {
match /profiles/{userId}/{image} {
// Read from storage !!
allow get : if request.auth != null // Authorized users only
}
}
}
If you're referring to download URLs, those are not at all controlled by security rules or any form of authentication. Anyone who has the link can view the content. That behavior can't be changed.
Related
I want to allow every User, even if he is not logged in, to read the datas of my database. But I want that only Users which are logged in and are "marked as a admin" can override this data...
Is there a way to do this? And is there a way to mark some Users as admin?
Btw I want to use swift if this is possible
For allowing only admins to edit, you will first have to give each user an 'admin' field in their user doc, which will only be set to True for Admins, then set the rules:
match /{document=**} {
allow read: if true;
allow write: if request.auth != null && get(/databases/$(database)/documents/users/$(request.auth.uid)).data.admin == true
}
If you'd like some more help with documentation, Firestore has some nifty examples here: https://firebase.google.com/docs/firestore/security/rules-conditions
I have restricted rules:
rules_version = '2';
service firebase.storage {
match /b/{bucket}/o {
match /{allPaths=**} {
allow read, write: if false;
}
}
}
but every one can access and download file from this link.
how should I restrict downloading from this link?
Download URLs by definition give read-only access to the file, and are not affected by the security rules.
If you want to control access to the file, you should not generate a download URL and instead access the file through the SDK only.
I managed to use firestore in the app. Users can post a blog which will be updated in real time to all the users. I want to restrict users to post only one blog from their account. How can I make this possible? How can I restrict users from posting multiple posts?
You could use Firestore Rules
service cloud.firestore {
match /databases/{database}/documents {
match /blogs/{blogId} {
allow create:
if request.auth.uid == resource.data.userAuthId &&
request.resource.data.authorNumOfBlogs == 0
allow update, delete:
if request.auth.uid == resource.data.userAuthId
}
}
}
This will only allow the user to create a blog if the request matches the current users id and if that user only has one blog post.
Be sure to make a field authorNumOfBlogs in your /blogs collection and increment/decrement it accordingly when the user creates/deletes a blog post. Also, add a userAuthId field in your /users collection if you are not already keeping track of the user's uid in firestore.
Before uploading the post You can query the collection to see if already exists a post from that user.
If exists, You don't upload the post.
For this You need to save the uid of the user that create the document inside every post.
i'll publish my app on Google Play Store but in test phases (Alpha Version), i was using this rules:
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
// This rule allows anyone on the internet to view, edit, and delete
// all data in your Firestore database. It is useful for getting
// started, but it is configured to expire after 30 days because it
// leaves your app open to attackers. At that time, all client
// requests to your Firestore database will be denied.
//
// Make sure to write security rules for your app before that time, or else
// your app will lose access to your Firestore database
match /{document=**} {
// allow read, write: if request.time < timestamp.date(2020, 3, 25);
allow read, write: if request.auth.uid != null;
}
}
}
But, when the app must be published to public i can't know the best path or the best rules that my app must have.
My app have a login screen and after login screen each user have your respectives documents and collections in your document generated from sign up.
I can't got think on a form to protect my app of invasors.
I try to upload images to firebase, but i always receive this exceptionenter image description here
By default, Firebase Storage buckets require Firebase Authentication to upload files. You can change your Firebase Storage Security Rules to allow unauthenticated access.
Something like:
service firebase.storage {
match /b/<your-firbase-storage-bucket>/o {
match /{allPaths=**} {
allow read, write;
}
}
}
Will get you up and running ASAP