-
Notifications
You must be signed in to change notification settings - Fork 119
/
Copy pathfirestore.rules
132 lines (100 loc) · 3.35 KB
/
firestore.rules
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
rules_version = '2';
service cloud.firestore {
///////
// Global Functions
///////
// if this request is coming from super admin
function isSuperAdmin(){
return request.auth.uid == 'super_admin_uid_here' && request.auth != null;
}
// if the user is signed in
function isSignedIn(){
return request.auth != null;
}
///////
// Space
///////
// if the request is coming from the space owner
function isSpaceOwner(){
return request.auth.uid == request.resource.data.ownerUID && isSignedIn();
}
// if a space request is valid
function isValidSpace(){
return request.resource.data.keys().hasOnly(['appMembers', 'memberList', 'icon', 'name','ownerUID', 'spaceLat', 'spaceLon', 'spaceRadius']);
}
// When the users joins using QR Code
function isAddingTheUsersIDToSpace(){
return request.resource.data.diff(resource.data).affectedKeys().
hasOnly(['appMembers']) && isSignedIn();
}
// This occurs when a space owner is modifying a users attendance data
///////
// Users
///////
function isIdOwner(){
return request.resource.id == request.auth.uid;
}
///////
// MetaData
///////
// If the requests match the request of Admin request
function isRequestsFieldValid(){
return request.resource.data.keys().hasOnly(
['name', 'companyName', 'extraInfo', 'email', 'idToken']);
}
///////
// Execution Starts HERE
///////
match /databases/{database}/documents {
// We are restricting the database here
match /{document=**} {
/// This is only for debugging the final version will contain all the security rules;
allow read, write: if isSuperAdmin();
}
// Custom Member access to Admin users
match /members/{ownerID}{
allow read,write: if ownerID == request.auth.uid;
}
match /members/{ownerID}/members_collection/{memberID}{
allow read,write: if ownerID == request.auth.uid;
}
///////
// SPACE
///////
// Space Modification and Creation
match /spaces/{spaceID}{
allow read;
allow create: if isValidSpace();
allow update: if isSpaceOwner() || isAddingTheUsersIDToSpace() ;
allow delete : if isSpaceOwner();
}
///////
// USERS
///////
/// Account Modificaiton and Creation
match /users/{userID}{
allow read: if isSignedIn();
allow update: if isIdOwner();
allow delete: if isSuperAdmin();
}
/// Helper function for the below matching
function isSpaceOwnerAttendance(spaceID, ownerUID){
return get(/databases/$(database)/documents/spaces/$(spaceID)).data.ownerUID == ownerUID;
}
//
function isAttendanceOwner(userID){
return request.auth.uid == userID;
}
/// Attendance Modification
match /users/{userID}/attendance/{spaceID}/data/{year}{
allow create: if isSpaceOwnerAttendance(spaceID, request.auth.uid) ||isAttendanceOwner(userID);
allow read: if isSpaceOwnerAttendance(spaceID, request.auth.uid) ||isAttendanceOwner(userID);
allow update: if isSpaceOwnerAttendance(spaceID, request.auth.uid) ||isAttendanceOwner(userID);
allow delete: if isSpaceOwnerAttendance(spaceID, request.auth.uid);
}
// User request for to be an admin users
match /meta_data/admin_requests/the_requests/{requests}{
allow write: if isRequestsFieldValid();
}
}
}