-
Notifications
You must be signed in to change notification settings - Fork 0
/
firestore.rules
113 lines (102 loc) · 4.3 KB
/
firestore.rules
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
function isAlbumOwner(albumId, uid) {
let album = get(/databases/$(database)/documents/albums/$(albumId)).data;
return album.uid == uid;
}
function isAlbumOwnerAfter(albumId, uid) {
let album = getAfter(/databases/$(database)/documents/albums/$(albumId)).data;
return album.uid == uid;
}
function getAccess(albumId, uid) {
let access = get(/databases/$(database)/documents/public/$(albumId)/accesses/$(uid)).data;
return access;
}
function hasAccess(albumId) {
let public = get(/databases/$(database)/documents/public/$(albumId)).data;
return public.status &&
(public.password == false
|| !('password' in public)
|| (request.auth != null
&& getAccess(albumId, request.auth.uid).version == public.version));
}
function allowReadAlbum(albumId) {
return (request.auth != null && isAlbumOwner(albumId, request.auth.uid))
|| hasAccess(albumId);
}
function verifyFields(data, required, optional) {
let allAllowedFields = required.concat(optional);
return data.keys().hasAll(required)
&& data.keys().hasOnly(allAllowedFields);
}
// function diffHasOnly(fields) {
// return request.resource.data.diff(resource.data).affectedKeys().hasOnly(fields)
// }
match /public/{albumId} {
allow read; //anyone
allow create: if request.auth != null
&& isAlbumOwner(albumId, request.auth.uid)
&& request.resource.data.uid == request.auth.uid
&& verifyFields(request.resource.data, ['name', 'status', 'uid'], ['password', 'version'])
allow update: if request.auth != null
&& isAlbumOwner(albumId, request.auth.uid)
&& request.resource.data.uid == request.auth.uid
&& verifyFields(request.resource.data, ['name', 'status', 'uid'], ['password', 'version']);
allow delete: if request.auth != null
&& isAlbumOwner(albumId, request.auth.uid);
match /accesses/{uid} {
allow read: if request.auth != null
&& uid == request.auth.uid;
}
}
match /users/{uid} {
allow read: if request.auth != null
&& uid == request.auth.uid;
allow update: if request.auth != null
&& uid == request.auth.uid
&& request.resource.data.sub == resource.data.sub
&& verifyFields(request.resource.data, ['sub'], ['albumId','albums','revoked']);
match /albums/{albumId} {
allow read: if request.auth != null
&& uid == request.auth.uid;
allow create, update: if request.auth != null
&& uid == request.auth.uid
&& verifyFields(request.resource.data, ['name', 'owner', 'created'], []);
allow delete: if request.auth != null
&& uid == request.auth.uid;
}
}
match /cache/{albumId} {
allow read: if allowReadAlbum(albumId);
allow delete: if request.auth != null
&& isAlbumOwner(albumId, request.auth.uid);
}
match /albums/{albumId} {
allow read: if allowReadAlbum(albumId);
allow create: if request.auth != null
&& request.resource.data.uid == request.auth.uid
&& verifyFields(request.resource.data, ['uid', 'name'], ['created','columns','rows','fit','interval','orientation','randomGridOrder','transition']);
allow update: if request.auth != null
&& resource.data.uid == request.auth.uid
&& request.resource.data.uid == request.auth.uid
&& verifyFields(request.resource.data, ['uid', 'name'], ['created','columns','rows','fit','interval','orientation','randomGridOrder','transition']);
allow delete: if request.auth != null
&& resource.data.uid == request.auth.uid;
match /secrets/google {
allow read: if request.auth != null
&& isAlbumOwner(albumId, request.auth.uid);
allow write: if request.auth != null
&& isAlbumOwnerAfter(albumId, request.auth.uid)
&& verifyFields(request.resource.data, ['albumId'], []);
}
match /secrets/password {
allow read: if request.auth != null
&& isAlbumOwner(albumId, request.auth.uid);
allow write: if request.auth != null
&& isAlbumOwner(albumId, request.auth.uid)
&& verifyFields(request.resource.data, ['value'], []);
}
}
}
}