-
-
Notifications
You must be signed in to change notification settings - Fork 14
/
firestore.rules
84 lines (69 loc) · 3.26 KB
/
firestore.rules
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /listings {
allow list: if true; // Allow listing collection queries, essential for features like filtering and pagination.
}
// Listings collection rules
match /listings/{listingId} {
allow read: if true; // Anyone can view listings
allow create: if request.auth != null; // Must be logged in to create
allow update, delete: if request.auth != null &&
request.auth.uid == resource.data.createdBy; // Only creator can modify
}
match /accounts {
allow list: if isPublicUser() || isPublicGroup();
// Public Group access
function isPublicGroup() {
return (resource.data.privacy == 'public' && resource.data.type == 'group');
}
// Public User access
function isPublicUser() {
return (request.auth != null && resource.data.privacy == 'public' && resource.data.type == 'user');
}
}
// Match the Account collection
match /accounts/{accountId} {
function isAccountOwner() {
return request.auth != null && request.auth.uid == accountId;
}
// Friends-only access
function isAcceptedFriend() {
return (request.auth != null && exists(/databases/$(database)/documents/accounts/$(accountId)/relatedAccounts/$(request.auth.uid))
&& get(/databases/$(database)/documents/accounts/$(accountId)/relatedAccounts/$(request.auth.uid)).data.type == 'user'
&& get(/databases/$(database)/documents/accounts/$(accountId)/relatedAccounts/$(request.auth.uid)).data.status == 'accepted');
}
// Groups-only access
function isAcceptedGroup() {
return (request.auth != null && exists(/databases/$(database)/documents/accounts/$(accountId)/relatedAccounts/$(request.auth.uid))
&& get(/databases/$(database)/documents/accounts/$(accountId)/relatedAccounts/$(request.auth.uid)).data.type == 'group'
&& get(/databases/$(database)/documents/accounts/$(accountId)/relatedAccounts/$(request.auth.uid)).data.status == 'accepted');
}
// Public Group access
function isPublicGroup() {
return (resource.data.privacy == 'public' && resource.data.type == 'group');
}
// Public User access
function isPublicUser() {
return (request.auth != null && resource.data.privacy == 'public' && resource.data.type == 'user');
}
// Allow read if the user is accessing their own account
allow read: if (isAccountOwner() || isAcceptedFriend() || isAcceptedGroup() || isPublicGroup() || isPublicUser());
// General write rule (customize as needed)
allow create, write: if isAccountOwner();
}
// Rules for relatedAccount
match /accounts/{accountId}/relatedAccounts/{relatedAccountId} {
allow create, read, write, delete: if request.auth.uid != null; // Only the user can write to their own data
}
// Rules for AppFeedback
match /feedback/{accountId} {
function isAccountOwner() {
return request.auth.uid == accountId;
}
allow create: if isAccountOwner();
allow read, write: if request.auth.uid != null; // Only logged in users can read and write feedback
allow delete: if false;
}
}
}