Transcript from the "Security Rules for Uploading" Lesson
>> Steve Kinney: All right, so we've got the ability to upload a file in place. This is gonna blow up.
>> Steve Kinney: Anyone wanna guess why it's gonna blow up?
>> Student: Image types, I mean file types, wrong file.
>> Steve Kinney: I mean, that's also a reason they could blow up. I mean, you can put whatever you want in the bucket.
[00:00:18] Whether or not it renders as an image is a different story. You put whatever you want in the bucket. Security rules, right? This is like, there's also, you can imagine what happened if we just let anyone upload anything, right, anywhere, right? So we'll just do some really basic security rules here.
[00:00:42] I'll take that for a spin, so go to storage. We'll get started. This is the kind of default rule that I want to give you. All right, let's read this rule together. All passes like document before, it's basically they can read or write anywhere as long as they're logged in.
[00:01:01] Better than the test one that we did for FireStore, but not great. So let's go ahead and let's make that a little bit better. And we'll say, no, you can't do anything unless it's to user-profiles/,
>> Steve Kinney: And we'll look at a userId in there.
>> Steve Kinney: And then for a photo URL,
>> Steve Kinney: And we'll say, we'll allow,
>> Steve Kinney: read, anyone can read it. And we'll allow write if the request,
>> Steve Kinney: auth.uid == user ID. So you can write to that bucket. You can write to that folder if it is your folder. Anyone can read from it. Only the user can put a file there.
[00:02:08] Otherwise, I can go find any of your profile things and upload some stuff there and make it all weird. Fortunately, the only picture I have is of myself that's already there, so that's not fun.