-
Notifications
You must be signed in to change notification settings - Fork 22
/
firestore.rules
64 lines (60 loc) · 2.96 KB
/
firestore.rules
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /projects/{project} {
function isInPublicGalleryOrIsCreator(uid, galleryID) {
let gallery = get(/databases/$(database)/documents/galleries/$(galleryID)).data;
return gallery != null && (gallery.public || uid in gallery.creators || uid in gallery.curators);
}
function isCuratorOfProjectInGallery(uid, galleryID) {
let gallery = get(/databases/$(database)/documents/galleries/$(galleryID)).data;
return gallery != null && (uid in gallery.curators || uid in gallery.creators);
}
allow create: if request.auth != null;
// Projects are readable if:
// 1) They are public
// 2) The requestor is the owner or a collaborator
// 3) The requestor is a curator or creator of the gallery that the project is in, so all gallery projects are readable.
allow read: if
('public' in resource.data && resource.data.public) ||
(request.auth != null &&
(
("mod" in request.auth.token && request.auth.token.mod) ||
('owner' in resource.data && resource.data.owner == request.auth.uid) ||
('collaborators' in resource.data && request.auth.uid in resource.data.collaborators) ||
('gallery' in resource.data && resource.data.gallery != null && isInPublicGalleryOrIsCreator(request.auth.uid, resource.data.gallery))
)
);
allow update:
if request.auth != null &&
(
resource.data.owner == request.auth.uid ||
request.auth.uid in resource.data.collaborators ||
("mod" in request.auth.token && request.auth.token.mod) ||
(resource.data.gallery != null && isCuratorOfProjectInGallery(request.auth.uid, resource.data.gallery))
);
allow delete: if request.auth != null && resource.data.owner == request.auth.uid;
}
match /creators/{uid} {
allow read, write: if request.auth != null && request.auth.uid == uid;
}
match /galleries/{gallery} {
allow create: if request.auth != null;
allow read: if ("public" in resource.data && resource.data.public) || (request.auth != null && (request.auth.uid in resource.data.curators || request.auth.uid in resource.data.creators));
allow update:
if request.auth != null &&
// Curators can update anything
// Creators can't update public status or creator or curator list.
(
request.auth.uid in resource.data.curators ||
(
request.auth.uid in resource.data.creators &&
request.resource.data.public == resource.data.public &&
request.resource.data.curators == resource.data.curators &&
request.resource.data.creators == resource.data.creators
)
);
allow delete: if request.auth != null && request.auth.uid in resource.data.curators;
}
}
}