-
Notifications
You must be signed in to change notification settings - Fork 9
/
firestore.rules
49 lines (41 loc) · 2.2 KB
/
firestore.rules
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
// CHALLENGE Firestore 22
// See https://firebase.google.com/docs/firestore/security/get-started
// Application: We've started out with 'test mode' security rules which allow read/write access // to everyone at all times. This is ridiculous. We have to lock down our database
// as soon as possible. That's where these security rules come in.
// First, we'll write a rule to lock down the 'users' collection
// Second, we'll write three functions that will lock down the 'notes' collection
// You'll need to write the entire rule block for the 'users' collection, but we've
// left the rule block for '/notes/{noteId}' in place... because writing the three
// functions is hard enough. Just make sure to read lines 38-42 for a basic
// understanding of how a more complex rules block looks.
service cloud.firestore {
match /databases/{database}/documents {
// Write one read rule for /users/{uid}
// read: request.auth.uid must equal uid
match /users/{uid} {
allow read: if request.auth.uid == uid
}
// See https://firebase.google.com/docs/firestore/security/rules-conditions#custom_functions
// These rules rely on custom functions
function isOwner() {
// The auth token's uid must equal the record's owner field
return request.auth.uid == resource.data.owner
}
function isOwnerRequest() {
// The auth token's uid must equal the attempted write's owner field
return request.auth.uid == request.resource.data.owner
}
function isCollaborator() {
// Traverse the database to get the users's emailSlug
// Compare the emailSlug to the record's `collaborators` object
// See reference for rules.Map: https://firebase.google.com/docs/reference/rules/rules.Map
return get(/databases/$(database)/documents/users/$(request.auth.uid)).data.emailSlug in resource.data.collaborators
}
match /notes/{noteId} { // Applies to all notes
allow read: if isOwner() || isCollaborator()
allow update: if isOwner() || isCollaborator()
allow delete: if isOwner()
allow create: if isOwnerRequest()
}
}
}