Hi I am using Firebase Cloud Storage to develop web application. I would like to set different security rules for setting file from deleting file. It seems that write includes both of them according to the document. Does anyone know how to solve this problem?
What I would like to do is this.
- Anyone can set file if they are loggedin.
- Only user who set the file can delete it.
You can detect that a file is being deleted with request.resource == null in your rule.
But there is no property in the file objects (that I know of) to know who created the file.
A common approach is to store the files under a path that identifies their creator, e.g. /users/$uid/filename. With that structure you can check like this:
match /users/{userId}/profilePicture.png {
allow read;
allow write: if request.auth.uid == userId && request.resource == null;
}
An alternative would be to add an owner property to the metadata of each file and then check:
match /{fileId} {
allow read;
allow write: if (request.auth.uid == resource.metadata.owner && request.resource == null);
}
来源:https://stackoverflow.com/questions/50919867/firebase-cloud-storage-security-rule-for-deleting