-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathfirestore.rules
99 lines (88 loc) · 3.35 KB
/
firestore.rules
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
/* check a rider record for a boolean admin property */
function isAdmin() {
return get(/databases/$(database)/documents/private/$(request.auth.token.sub)).data.admin == true;
}
/* check for authentication UID match: avoid counterfeiting */
function isOwner(request) {
return resource.data.owner == request.auth.token.sub ||
request.resource.data.owner == request.auth.token.sub
}
match /users/{document} {
allow read, create;
allow write: if resource.data.uid == request.resource.data.uid
&& resource.data.uid == document
}
match /brevets/{brevet} {
allow read;
allow create: if isAdmin();
allow update: if isAdmin();
/* delete brevet in console only */
/* TODO: delete in web */
allow delete: if false;
match /checkpoints/{checkpoint} {
allow read;
allow create: if isAdmin();
allow update: if isAdmin();
allow delete: if isAdmin();
match /riders/{rider} {
allow read;
allow create: if isAdmin();
allow update: if isAdmin();
/* delete rider progress records in console only */
allow delete: if false;
}
match /private/{document} {
allow read, write: if isAdmin();
}
}
}
match /checkpoints/{checkpoint} {
allow read;
allow create, update, delete: if isAdmin();
match /barcodes/{barcode} {
allow read;
/* accept manually entered codes by an authenticated user */
allow create: if request.auth.uid != null && isOwner(request);
// TODO: improve
allow update: if request.auth.uid != null;
/* delete barcode reports in console only */
allow delete: if false;
}
}
match /riders/{rider} {
allow read;
/* TODO: allow self-creation only */
allow create: if isAdmin() || request.auth.uid != null;
/* edit self profile - match by JWT token, forbid uid change */
allow update: if (resource.data.owner == request.auth.token.sub
/* forbid changing uid: rename the whole document */
&& resource.data.uid == request.resource.data.uid
&& resource.data.uid == rider)
|| isAdmin();
/* admin may delete a rider or the rider himself */
allow delete: if isAdmin() || isOwner(request);
match /barcodes/{barcode} {
allow read;
allow create: if request.auth.uid != null;
allow update: if request.auth.uid != null;
/* delete barcode reports in console only */
allow delete: if false;
}
}
match /private/{rider} {
allow create: if isAdmin() || request.auth.uid != null;
/* edit self profile - match by JWT token, forbid uid change */
allow update: if (isOwner(request)
/* forbid changing uid: rename the whole document */
&& resource.data.uid == request.resource.data.uid
&& resource.data.uid == rider)
|| isAdmin();
/* admin may delete a rider or the rider himself */
allow delete: if isAdmin() || isOwner(request);
allow read, write: if isAdmin() || request.auth.token.sub == rider;
}
}
}