| rules_version = '2'; | |
| service firebase.storage { | |
| match /b/{bucket}/o { | |
| // Default-deny policy for entire storage registry | |
| match /{allPaths=**} { | |
| allow read, write: if false; | |
| } | |
| // Rules for the product-images folder: public read allowed, authenticated writes only | |
| match /product-images/{imageId} { | |
| allow read: if true; | |
| allow write: if request.auth != null | |
| && request.resource.size < 5 * 1024 * 1024 // limit size to 5MB | |
| && request.resource.contentType.matches('image/.*'); // strictly image MIME types | |
| allow delete: if request.auth != null; | |
| } | |
| } | |
| } | |