Closed
Description
[REQUIRED] Describe your environment
- Operating System version: Windows 10 Home Version 20H2, Build 19042.1052
- Browser version: N/A (using mocha and @firebase/rules-unit-testing testing library)
- Firebase SDK version: @firebase/rules-unit-testing 1.3.8
- Firebase Product: storage, storage emulator
[REQUIRED] Describe the problem
It is not currently possible to unit test "update" storage security rules using @firebase/rules-unit-testing. When you try to overwrite an existing file, the security rules always check the "create" rule instead of the "update" rule.
Steps to reproduce:
Step 1: Create a storage.rules file with rules that allow creating but not updating
rules_version = '2';
service firebase.storage {
match /b/{bucket}/o {
allow read: if true;
allow write: if false;
match /folder/{fileId} {
allow create: if true;
}
}
}
Step 2: Write a unit test that checks that creates are allowed and a unit test that checks that updates are denied
import * as firebase from "@firebase/rules-unit-testing";
process.env.FIREBASE_STORAGE_EMULATOR_HOST = "localhost:9199";
(global as any).XMLHttpRequest = require("xhr2");
describe("storage update bug", () => {
it("can create", async () => {
const client = firebase.initializeTestApp({ storageBucket: "test-bucket" }).storage();
// Create 5mb file
const file = Buffer.allocUnsafe(5000000);
await firebase.assertSucceeds(
client.ref().child("folder/dummy").put(file).then()
);
});
it("CANNOT update", async () => {
const client = firebase.initializeTestApp({ storageBucket: "test-bucket" }).storage();
// Create 5mb file
const createFile = Buffer.allocUnsafe(5000000);
await firebase.assertSucceeds(
client.ref().child("folder/dummy").put(createFile).then()
);
// Update 5mb file (should fail, but does not fail!)
const updateFile = Buffer.allocUnsafe(5000000);
await firebase.assertFails(
client.ref().child("folder/dummy").put(updateFile).then()
);
});
});
[REQUIRED] Expected behavior
Should throw a permission denied error. And "CANNOT update" test should pass.
[REQUIRED] Actual behavior
No permission denied error is thrown. The client is allowed to update the file despite the fact that the rules say they should not be allowed to update the file. And the "CANNOT update" test fails.