TODO Items
Storage Security Improvements
Firebase Storage Custom Claims Setup
Priority: Medium Status: Pending
Currently, the Firebase Storage rules for company logo uploads include a fallback that allows any authenticated user to upload if they donβt have custom claims set:
// In storage.rules line 99:|| request.auth.token.role == nullAction needed:
- Fix the Cloud Functions deployment issues (Firebase Functions v2 syntax updates needed)
- Ensure the
syncUserClaimsfunction in/functions/src/auth.jsis properly deployed and working - Verify that all admin users have their roles set as Firebase Auth custom claims
- Remove the fallback
|| request.auth.token.role == nullfrom storage.rules - Test that only users with proper admin roles (
super_admin,system_admin,organization_admin,company_admin) can upload company logos
Background:
The current setup works but is less secure than intended. File validation is properly handled in the app code (validateLogoFile() function), but role-based access control relies on a fallback thatβs too permissive.
Files involved:
/storage.rules- Remove fallback condition/functions/src/auth.js- Ensure syncUserClaims function works/functions/src/ticket-triggers.jsand other function files - Update to Firebase Functions v2 syntax
Last updated: 2025-01-14