-
Notifications
You must be signed in to change notification settings - Fork 8
/
firestore.rules
90 lines (78 loc) · 3.21 KB
/
firestore.rules
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
function sameUID(uid) {
return isLoggedIn() && (uid == request.auth.uid);
}
function isLoggedIn() {
return request.auth != null;
}
function hasRole(role) {
return (isLoggedIn() && (get(/databases/$(database)/documents/users/$(request.auth.uid)).data.role == role));
}
function notUpdating(field) {
return !(field in request.resource.data) || (resource.data[field] == request.resource.data[field]);
}
function invalidStateUpdate(statusFieldName) {
return !(statusFieldName in request.resource.data) || (request.resource.data[statusFieldName] == 7);
}
function invalidUserUpdate() {
return (notUpdating("apple_pass_url") && notUpdating("google_qr_url") && notUpdating("role") && notUpdating("uid"));
}
function isInTeam(teamData) {
return (isLoggedIn() && (request.auth.uid in teamData.teamMembers));
}
function isInTeamWithInvite(inviteData) {
return (isInTeam(get(/databases/$(database)/documents/teams/$(inviteData.teamId)).data));
}
match /users/{userId} {
allow get: if hasRole("admin") || hasRole("sponsor") || sameUID(userId);
allow list: if hasRole("admin") || hasRole("sponsor");
allow create: if hasRole("admin") || (sameUID(userId));
allow update: if hasRole("admin") || (sameUID(userId) && invalidUserUpdate() && invalidStateUpdate("status"));
allow delete: if hasRole("admin");
}
match /volunteers/{voldId} {
allow list: if hasRole("admin");
allow get: if hasRole("admin") || (sameUID(voldId));
allow create: if hasRole("admin") || (sameUID(voldId));
allow update: if hasRole("admin") || (sameUID(voldId));
allow delete: if hasRole("admin");
}
match /mentors/{voldId} {
allow list: if hasRole("admin");
allow get: if hasRole("admin") || (sameUID(voldId));
allow create: if hasRole("admin") || (sameUID(voldId));
allow update: if hasRole("admin") || (sameUID(voldId));
allow delete: if hasRole("admin");
}
match /teams/{teamId} {
allow get: if hasRole("admin") || isInTeam(resource.data);
allow list: if hasRole("admin");
allow create: if isLoggedIn();
allow update: if hasRole("admin") || isInTeam(resource.data);
allow delete: if hasRole("admin") || isInTeam(resource.data);
}
match /teamInvites/{teamInviteId} {
allow get: if hasRole("admin") || isInTeamWithInvite(resource.data);
allow list: if hasRole("admin");
allow create: if hasRole("admin") || isInTeamWithInvite(request.resource.data);
allow update: if hasRole("admin") || isInTeamWithInvite(request.resource.data);
allow delete: if hasRole("admin") || isInTeamWithInvite(resource.data);
}
match /applications/{appId} {
allow get: if hasRole("admin") || sameUID(appId);
allow list: if hasRole("admin") || hasRole("sponsor");
allow create: if hasRole("admin") || (sameUID(appId));
allow update: if hasRole("admin") || (sameUID(appId) && notUpdating("uid") && invalidStateUpdate("applicationStatus"));
allow delete: if hasRole("admin");
}
match /admin/{docId} {
allow get: if true;
allow list: if true;
allow create: if hasRole("admin");
allow update: if hasRole("admin");
allow delete: if hasRole("admin");
}
}
}