Cloud Storage for Firebase Security Rules - Omit {allPaths=**}

Currently the rules are using the notation which is a multi-segment wildcard for paths:

rules_version = '2';
service firebase.storage {
  match /b/{bucket}/o {
    match /Photos/{userUID}/{allPaths=**} {
      allow read: if request.auth.uid == userUID;
      allow write: if request.auth.uid == userUID && request.resource.size <= 2 * 1024 * 1024;
    }
  }
}

This rule says “The person with matching UID can write to any depth in the tree beneath /Photos/”.

In your Simulator try writing to these two locations and you’ll see that they’re both successful:

    /Photos/1234567890123456789012345678/filename.png
    /Photos/1234567890123456789012345678/helloworld/filename.png

Consider that we do know the location where we are writing files (/Photos/<userUID>/filename) and we don’t want users writing to any depth of the tree. So let’s remove the reference to and replace it with a wildcard variable representing the filename:

    match /Photos/{userUID}/{filename} {

Try running the Simulator against the two paths above and you’ll see that writing to the path containing the “helloworld” component now fails. Excellent!

Here are our new rules. Publish to save!

rules_version = '2';
service firebase.storage {
  match /b/{bucket}/o {
    match /Photos/{userUID}/{filename} {
      allow read: if request.auth.uid == userUID;
      allow write: if request.auth.uid == userUID && request.resource.size <= 2 * 1024 * 1024;
    }
  }
}