-
Notifications
You must be signed in to change notification settings - Fork 10
/
firestore.rules
83 lines (70 loc) · 2.32 KB
/
firestore.rules
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /users/{uid} {
// Keys that user should not be able to update themself
function protected() {
return [
'admin',
];
}
// Extend to add any extra validation logic you need here
// Right now it just ensures user cannot change protected keys defined above
function createIsValid() {
let hasProtectedKeys = futureData().keys().hasAny(protected());
return hasProtectedKeys == false;
}
function updateIsValid() {
let affectedKeys = futureData().diff(currentData()).affectedKeys();
let hasProtectedKeys = affectedKeys.hasAny(protected());
return hasProtectedKeys == false;
}
allow read: if true;
allow delete: if isUser(uid);
allow create: if isUser(uid) && createIsValid();
allow update: if isUser(uid) && updateIsValid();
}
match /items/{id} {
allow read: if true;
//allow read: if isOwner(); // Would restrict reads to just the item owner
allow delete: if isOwner();
allow update: if isOwner() && willBeOwner();
allow create: if willBeOwner();
}
match /works/{id} {
allow read: if true;
//allow read: if isOwner(); // Would restrict reads to just the item owner
allow delete: if isOwner();
allow update: if isOwner() && willBeOwner();
allow create: if willBeOwner();
}
match /works/{id}/comments/{cid} {
allow read: if true;
//allow read: if isOwner(); // Would restrict reads to just the item owner
allow delete: if isOwner();
allow update: if isOwner() && willBeOwner();
allow create: if request.auth.uid != null;
}
}
}
// Helper functions that simplify our rules
// Check if authenticated user has the specified uid
function isUser(uid) {
return request.auth.uid != null && request.auth.uid == uid;
}
// Check if user matches current data owner
function isOwner(){
return isUser(currentData().owner);
}
// Check if user matches potential future data owner
function willBeOwner(){
return isUser(futureData().owner);
}
// Get current data
function currentData() {
return resource.data;
}
// Get future state of data if write were accepted
function futureData() {
return request.resource.data;
}