-
-
Notifications
You must be signed in to change notification settings - Fork 0
/
firestore.rules
153 lines (127 loc) · 4.62 KB
/
firestore.rules
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
// -------------------------------------------------------------------------
// User auth and document state helper functions.
function isSignedIn() {
return request.auth != null;
}
function isOneOfTypes(targetTypes) {
let userType = get(/databases/$(database)/documents/users/$(request.auth.uid)).data.userType;
return (userType in targetTypes);
// return request.auth.token.userType in targetTypes;
}
function isSignedInAdmin() {
return isSignedIn() && isOneOfTypes(["admin", "superAdmin"]);
}
function isSignedInSuperAdmin() {
return isSignedIn() && isOneOfTypes(["superAdmin"]);
}
function isSignedInSelf(id) {
return isSignedIn() && request.auth.uid == id;
}
function isAdminApproved() {
let adminApproved = get(/databases/$(database)/documents/users/$(request.auth.uid)).data.adminApproved;
return (adminApproved == true);
// return request.auth.token.adminApproved == true;
}
// [users] collection:
//
// - create : auto-triggered by first sign-in and handled by Cloud Function.
//
// - read :
// - get :
// - authed users can get own record.
// - list :
// - authed (super) admin users can read all records.
// - authed admin-approved users can read approved mentors' non-admin records.
//
// - update :
// - authed users can update own non-admin records.
// - authed (super) admin users can update all non-admin fields.
//
// - delete :
// - not (yet) allowed.
//
match /users/{id} {
allow create: if false;
allow get: if isSignedInSelf(id)
|| isSignedInAdmin();
allow list: if (isSignedIn() && isAdminApproved())
|| isSignedInAdmin();
allow update: if isSignedInSelf(id)
|| isSignedInAdmin();
allow delete: if false;
// [metadata] sub-collection:
//
// - create : handled by Cloud Function.
// - read : authed (super) admin users can read all records.
// - update : currently triggered by application submission for authed users.
// - delete : not allowed.
//
//match /metadata/{metadataField} {
// allow create, delete: if false;
// allow read: if isSignedInAdmin();
// allow update: if isSignedInSelf(id);
//}
}
// [blacklist] collection:
//
// - create : (super) admin-only, and record not already exist.
//
// - read :
// - get : authed users can read own id.
// - list : authed (super) admin users can read all ids.
//
// - update : authed super admin users only.
//
// - delete : authed super admin users only.
//
match /blacklist/{hashedEmail} {
allow create: if isSignedInAdmin()
&& !exists(/databases/$(database)/documents/blacklist/$(hashedEmail));
allow read: if isSignedIn();
allow update, delete: if isSignedInSuperAdmin();
// [metadata] sub-collection:
//
// - create : handled by Cloud Function.
// - read : authed (super) admin users can read all records.
// - update : handled by Cloud Function.
// - delete : not allowed.
//
match /metadata/{metadataField} {
allow create, update, delete: if false;
allow read: if isSignedInAdmin();
}
}
match /waitlist/{hashedEmail} {
allow create: if isSignedInAdmin()
&& !exists(/databases/$(database)/documents/blacklist/$(hashedEmail));
allow get: if isSignedIn();
allow list: if isSignedInAdmin();
allow update, delete: if isSignedInSuperAdmin();
// [metadata] sub-collection:
//
// - create : handled by Cloud Function.
// - read : authed (super) admin users can read all records.
// - update : handled by Cloud Function.
// - delete : not allowed.
//
//match /metadata/{metadataField} {
// allow create, update, delete: if false;
// allow read: if isSignedInAdmin();
//}
}
// [bugReports] collection:
//
// - create : anyone, and record not already exist.
// - read : authed (super) admin users only.
// - update : not (yet) allowed.
// - delete : not (yet) allowed.
match /bugReports/{id} {
allow create: if !exists(/databases/$(database)/documents/bugReports/$(id));
allow read: if isSignedInAdmin();
allow update, delete: if false;
}
}
}