From 51cb73f3d82a82e1bc8a9cd60e3f23f85c7f59e6 Mon Sep 17 00:00:00 2001
From: Luke Watts <luke@thisis.la>
Date: Tue, 21 May 2024 21:39:17 +0200
Subject: [PATCH] feat: restrict access to categories

---
 firestore.rules                               | 12 ++++++---
 packages/security-rules/tests/general.spec.ts | 26 ++++++++++++++++---
 2 files changed, 31 insertions(+), 7 deletions(-)

diff --git a/firestore.rules b/firestore.rules
index cf12163f1f..3d6dd5b99a 100644
--- a/firestore.rules
+++ b/firestore.rules
@@ -19,6 +19,10 @@ service cloud.firestore {
       return true;
     }
 
+    function noWriteAccess() {
+      return false;
+    }
+
     match /aggregations_rev20220126/{document=**} {
       allow read: if isPublicReadable();
       allow write: if isPublicWritable();
@@ -36,7 +40,7 @@ service cloud.firestore {
 
     match /question_categories_rev20231130/{document=**} {
       allow read: if isPublicReadable();
-      allow write: if isPublicWritable();
+      allow write: if noWriteAccess();
     }
 
     match /questions_rev20230926/{document=**} {
@@ -46,7 +50,7 @@ service cloud.firestore {
 
     match /research_categories_rev20221224/{document=**} {
       allow read: if isPublicReadable();
-      allow write: if isPublicWritable();
+      allow write: if noWriteAccess();
     }
 
     match /research_rev20201020/{document=**} {
@@ -84,12 +88,12 @@ service cloud.firestore {
 
     match /v3_categories/{document=**} {
       allow read: if isPublicReadable();
-      allow write: if isPublicWritable();
+      allow write: if noWriteAccess();
     }
 
     match /v3_tags/{document=**} {
       allow read: if isPublicReadable();
-      allow write: if isPublicWritable();
+      allow write: if noWriteAccess();
     }
 
     match /v3_users/{userId} {
diff --git a/packages/security-rules/tests/general.spec.ts b/packages/security-rules/tests/general.spec.ts
index b8074c1870..84608b77fe 100644
--- a/packages/security-rules/tests/general.spec.ts
+++ b/packages/security-rules/tests/general.spec.ts
@@ -105,14 +105,11 @@ describe('community platform', () => {
   const publicCollections = [
     'aggregations_rev20220126',
     'discussions_rev20231022',
-    'question_categories_rev20231130',
     'questions_rev20230926',
-    'research_categories_rev20221224',
     'research_rev20201020',
     'user_notifications_rev20221209',
     'v3_howtos',
     'v3_mappins',
-    'v3_tags',
     'v3_users',
   ]
 
@@ -131,4 +128,27 @@ describe('community platform', () => {
       })
     })
   })
+
+  const readableCollections = [
+    'v3_categories',
+    'v3_tags',
+    'research_categories_rev20221224',
+    'question_categories_rev20231130',
+  ]
+
+  readableCollections.forEach((collection) => {
+    describe(`${collection}`, () => {
+      it(`${collection} allows READ`, async () => {
+        await assertSucceeds(getDoc(doc(unauthedDb, collection, 'bar')))
+      })
+
+      it(`${collection} does not allow WRITE`, async () => {
+        await assertFails(
+          setDoc(doc(unauthedDb, collection, 'bar'), {
+            email: '',
+          }),
+        )
+      })
+    })
+  })
 })