-
Notifications
You must be signed in to change notification settings - Fork 2
/
firestore.rules
115 lines (92 loc) · 4.48 KB
/
firestore.rules
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /counters/{counterID=**} {
allow read: if true;
allow write: if false;
}
match /foodwords/{foodwordID=**} {
allow read: if true;
allow write: if request.auth != null && request.auth.token.email == '[email protected]';
}
match /suggestedfoodwords/{foodwordID=**} {
allow read: if request.auth != null && (request.auth.uid == resource.data.creator_uid || request.auth.token.email == '[email protected]');
allow delete: if request.auth != null && (request.auth.uid == resource.data.creator_uid || request.auth.token.email == '[email protected]');
allow create: if request.auth != null;
}
match /feedback/{feedbackID} {
allow create: if request.auth != null;
allow read: if request.auth != null && request.auth.uid == resource.data.creator_uid;
}
// Authenticated users can query the "invitations" collection group
// Applies to collection queries, collection group queries, and
// single document retrievals
match /{path=**}/invitations/{invitationID} {
allow read: if request.auth != null;
}
match /shoppinglists/{listID} {
allow create: if request.auth != null;
allow read, write: if request.auth != null && request.auth.uid in resource.data.owners;
match /items/{itemID} {
allow read, write: if request.auth != null && request.auth.uid in get(/databases/$(database)/documents/shoppinglists/$(listID)).data.owners;
}
match /pictures/{pictureID} {
allow read, write: if request.auth != null && request.auth.uid in get(/databases/$(database)/documents/shoppinglists/$(listID)).data.owners;
}
match /texts/{pictureID} {
allow read, write: if request.auth != null && request.auth.uid in get(/databases/$(database)/documents/shoppinglists/$(listID)).data.owners;
}
match /wordoptions/{pictureID} {
allow read, write: if request.auth != null && request.auth.uid in get(/databases/$(database)/documents/shoppinglists/$(listID)).data.owners;
}
match /invitations/{invitationID} {
allow create: if request.auth != null;
allow read: if request.auth != null;
allow delete: if request.auth != null && (
request.auth.uid == resource.data.inviter_uid ||
request.auth.token.email == resource.data.email
);
allow update: if request.auth != null;
allow write: if request.auth != null && request.auth.uid == resource.data.inviter_uid;
}
}
match /menus/{menuID} {
allow create: if request.auth != null;
allow read, write: if request.auth != null && request.auth.uid in resource.data.owners;
match /meals/{mealID} {
allow read, write: if request.auth != null && request.auth.uid in get(/databases/$(database)/documents/menus/$(menuID)).data.owners;
}
match /invitations/{invitationID} {
allow create: if request.auth != null;
allow read: if request.auth != null;
allow delete: if request.auth != null && (
request.auth.uid == resource.data.inviter_uid ||
request.auth.token.email == resource.data.email
);
allow update: if request.auth != null;
allow write: if request.auth != null && request.auth.uid == resource.data.inviter_uid;
}
}
// match /shoppingitems/{itemID} {
// allow read: if request.auth != null &&
// request.auth.uid in get(/databases/$(database)/documents/shoppinglists/$(request.)).data.owners;
// allow write: if request.auth != null &&
// request.auth.uid in get(/databases/$(database)/documents/shoppinglists/$(request.resource.data.shoppinglist)).data.owners;
// }
}
}
// NOTES:
// - Remember that order matters. Top to bottom.
// - Doing `/{document=**}` means that $document can be `foo` or `foo/bar/vaz`
// `allow: read;` is the same as `allow read: if true;`
// Common queries:
// request.auth != null - if they're a signed in user
// request.auth.uid
// "You can read my data, but only if you're signed in" => `allow read: if request.auth != null`
// allow create: if request.resource.data.score is number &&
// request.resource.data.score >= 1 **
// request.resource.data.reviewerID == request.auth.uid
// This is a good example of asserting that you're submitting something under only your own UID.
//
// When only allowing you to update *your* data:
// allow update: if resource.data.reviewerID == request.auth.uid;