/
firestore.rules
69 lines (59 loc) · 2.35 KB
/
firestore.rules
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
function isSuperAdmin() {
return exists(/databases/$(database)/documents/users/$(request.auth.uid)) &&
get(/databases/$(database)/documents/users/$(request.auth.uid)).data.role == 'super_admin';
}
function isAdmin() {
return isSuperAdmin() ||
(exists(/databases/$(database)/documents/users/$(request.auth.uid)) &&
get(/databases/$(database)/documents/users/$(request.auth.uid)).data.role == 'admin'
);
}
function notYourself() {
return request.auth.uid != resource.data.uid;
}
function isCommentOwner() {
return isSuperAdmin() || resource.data.user_email == request.auth.token.email;
}
/**
* Following rules are copied from Security Rules video https://youtu.be/eW5MdE3ZcAw
*/
function inputIsValid() {
return request.resource.data.rating is number &&
request.resource.data.rating >= 1 &&
request.resource.data.rating <= 5 &&
request.resource.data.text is string &&
request.resource.data.text.size() > 2 &&
request.resource.data.text.size() < 2000 &&
request.resource.data.title is string &&
request.resource.data.title.size() > 2 &&
request.resource.data.title.size() < 120 &&
((request.auth.uid != null && request.resource.data.user_email == request.auth.token.email) ||
(request.auth.uid == null && request.resource.data.user_email == 'anonymous' ));
}
function dontChangeRating() {
return request.resource.data.rating == resource.data.rating;
}
match /fcmTokens/{tokenId} {
allow read, write;
}
match /products/{productID} {
allow read;
allow create, delete: if isSuperAdmin();
allow update: if isAdmin();
match /comments/{commentId} {
allow read;
allow create: if inputIsValid();
allow update: if inputIsValid() && isCommentOwner() && dontChangeRating();
allow delete: if isCommentOwner();
}
}
match /users/{userID} {
allow create, read: if isSuperAdmin() || request.auth.uid == userID;
allow update: if isAdmin() && notYourself();
allow delete: if isSuperAdmin() && notYourself();
}
}
}