Limit number of files in a directory of firebase storage

[Felix Halim]

Suppose I have a user storage rule:

match /users/{userId}/{filename} {

  allow read;

  allow write: if request.auth.uid == userId;

}

How do I limit on the number of files this {userId} can store?

There is a trick like:

match /users/{userId}/{num} {

  allow read;

  allow write: if request.auth.uid == userId

            && num.size() == 1

            && num[0] >= '1'

            && num[0] <= '9';

}

To limit to only 9 files, but it has lots of drawbacks:

- there is no parseInt(), harder to do for arbitrary number of files

- {filename} cannot be used in the path

- the {num} must be carefully chosen with complicated dance with realtime database to avoid overwriting to the old existing num (I know there is resource != null rule to avoid overwriting).

- just hard to get it right

Is there any better solution?

Next follow up question:

How about limiting the total number of bytes per user?

Felix Halim

[Doug Stevenson]

Felix,

I don't think Firebase Storage security rules alone are going to help you with what you want.  Instead, you might want to track a particular user's storage in a database, and consult that data before making a change that could violate arbitrary rules that you define.  If you want these arbitrary rules to be secure, you'll also have to route everything through a server you control.

Doug

[Felix Halim]

Hi Doug,

One of the reasons firebase storage is useful is that users can directly upload their files without the developer need to setup a server.

With the current firebase storage security rules, a user can upload unlimited number of files!

If realtime database is accessible in the firebase storage security rules, this problem can be easily solved like this:

match /users/{userId}/{filename} {

  allow read;

  allow write: if root.child('user'').child(request.auth.uid).length() <= 10;

}

Assuming there is a built-in "length()" method which I proposed in this discussion.

Is there any plan to make the realtime database accessible in the firebase storage? (also the built-in length() method)?.

Thanks,

Felix Halim

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-talk+unsubscribe@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/44f30cb0-9db1-4092-a333-40d39352c9fe%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-talk+unsubscribe@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/44f30cb0-9db1-4092-a333-40d39352c9fe%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Mike McDonald]

Storage Rules already support map.size() and list.size() functions (your "length()"), which could be used for list sizing purposes.

The most basic version of what you want is:

match /users/{userId}/{filename} {

  allow read;

  allow write: if list(/users/$(username)).size() <= 10;

}

The "list" function would *actually perform a list* within Google Cloud Storage and return the object metadata, which could be potentially pretty expensive.

Eventually doing cross service rules:

match /users/{userId}/{filename} {

  allow read;

  allow write: if db.get(/users/$(username)/numFiles) <= 10;

}

Is something we're considering, but that's *even more expensive* (computationally and economically) than querying the existing service. We're investigating better ways of solving this, but unfortunately it's a little painful now.

Thanks,

--Mike

On Tuesday, January 31, 2017 at 5:38:12 PM UTC-8, Felix Halim wrote:

Hi Doug,

One of the reasons firebase storage is useful is that users can directly upload their files without the developer need to setup a server.

With the current firebase storage security rules, a user can upload unlimited number of files!

If realtime database is accessible in the firebase storage security rules, this problem can be easily solved like this:

match /users/{userId}/{filename} {

  allow read;

  allow write: if root.child('user'').child(request.auth.uid).length() <= 10;

}

Assuming there is a built-in "length()" method which I proposed in this discussion.

Is there any plan to make the realtime database accessible in the firebase storage? (also the built-in length() method)?.

Thanks,

Felix Halim

To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.

To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.

[Mike McDonald]

Note: at present, neither of these options exist, so there really isn't a good way to limit the number of files under a path in Storage.

Thanks,

--Mike