-
-
Notifications
You must be signed in to change notification settings - Fork 0
/
firestore.rules
111 lines (95 loc) · 3.65 KB
/
firestore.rules
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
// auth rule functions
function isAuthenticated() {
return request.auth != null;
}
function isAdmin() {
return request.auth.token.admin == true;
}
function isAdminAuthenticated() {
return isAuthenticated() && isAdmin();
}
function isUserAuthenticated(userId) {
return isAuthenticated() && userId == request.auth.uid;
}
function isUserOrAdminAuthenticated(userId) {
return isUserAuthenticated(userId) || isAdminAuthenticated();
}
// schema rule functions
function isValidPrivateUserFileCreated(file) {
return file.keys().hasAll(['fileName', 'fileSize', 'fileMimeType']) &&
file.fileName is string &&
file.fileSize is number &&
file.fileMimeType is string;
}
// Todo: add schema rule functions
// deny all with default
match /{document=**} {
allow read, write: if false;
}
// for admin
match /v/1/types/admin/users/{userId} {
allow get: if isAdmin();
allow list: if isAdmin();
allow create: if isAdmin();
allow update: if isAdmin();
}
match /v/1/types/admin/users/{userId}/transactions/{transactionId} {
allow get: if isAdmin();
allow list: if isAdmin();
allow create: if isAdmin();
allow update: if isAdmin();
}
match /v/1/types/admin/users/{userId}/files/{fileId} {
allow get: if isAdmin();
allow list: if isAdmin();
allow create: if isAdmin();
allow update: if isAdmin();
}
match /v/1/types/admin/users/{userId}/files/{fileId}/transactions/{transactionId} {
allow get: if isAdmin();
allow list: if isAdmin();
allow create: if isAdmin();
allow update: if isAdmin();
}
match /v/1/types/admin/users/{userId}/files/{fileId}/transactions/{transactionId}/embededs/{embeddedId} {
allow get: if isAdmin();
allow list: if isAdmin();
allow create: if isAdmin();
allow update: if isAdmin();
}
// for authenticated user or admin
match /v/1/types/private/users/{userId} {
allow get: if isUserOrAdminAuthenticated(userId);
allow list: if isUserOrAdminAuthenticated(userId);
// allow update: if isUserOrAdminAuthenticated(userId);
}
match /v/1/types/private/users/{userId}/transactions/{transactionId} {
allow get: if isUserOrAdminAuthenticated(userId);
allow list: if isUserOrAdminAuthenticated(userId);
// allow create: if isUserOrAdminAuthenticated(userId);
// allow update: if isUserOrAdminAuthenticated(userId);
}
match /v/1/types/private/users/{userId}/files/{fileId} {
allow get: if isUserOrAdminAuthenticated(userId);
allow list: if isUserOrAdminAuthenticated(userId);
allow create: if isUserOrAdminAuthenticated(userId)
&& isValidPrivateUserFileCreated(request.resource.data);
// allow update: if isUserOrAdminAuthenticated(userId);
}
match /v/1/types/private/users/{userId}/files/{fileId}/transactions/{transactionId} {
allow get: if isUserOrAdminAuthenticated(userId);
allow list: if isUserOrAdminAuthenticated(userId);
// allow create: if isUserOrAdminAuthenticated(userId);
// allow update: if isUserOrAdminAuthenticated(userId);
}
match /v/1/types/private/users/{userId}/files/{fileId}/transactions/{transactionId}/embededs/{embeddedId} {
allow get: if isUserOrAdminAuthenticated(userId);
allow list: if isUserOrAdminAuthenticated(userId);
// allow create: if isUserOrAdminAuthenticated(userId);
// allow update: if isUserOrAdminAuthenticated(userId);
}
}
}