How to restrict access to files to group members?

Question

I have a chat app where users can send photos in private or group chats. Each private or group chat has a unique chat id: /images//image.jpg

Answer 1

The eternal question. It's discussed a few places (Google Group, Storage Docs, Github Gist), but the TL;DR is: at present, there's no way to read data from one service in the Rules of another. For services, you can do one of two things:

• Convey group information in a custom token
• Convey group information in custom metadata in the service

One example of this:

// Allow reads if the group ID in your token matches the file metadata's `owner` property
// Allow writes if the group ID is in the user's custom token
match /files/{groupId}/{fileName} {
  allow read: if resource.metadata.owner == request.auth.token.groupId;
  allow write: if request.auth.token.groupId == groupId;
}