-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathfirestore.rules
63 lines (63 loc) · 2.35 KB
/
firestore.rules
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
// check users was invited
function isInvited() {
return request.auth != null && exists(/databases/$(database)/documents/invite/$(request.auth.token.email)) && request.auth.token.email_verified;
}
// check user is moderator
function isModer() {
return request.auth != null && exists(/databases/$(database)/documents/users/$(request.auth.uid)) && get(/databases/$(database)/documents/users/$(request.auth.uid)).data.moderator == true;
}
// check user is administrator
function isAdmin() {
return request.auth != null && exists(/databases/$(database)/documents/users/$(request.auth.uid)) && get(/databases/$(database)/documents/users/$(request.auth.uid)).data.admin == true;
}
// check self profile
function isUserSelf(userId) {
return request.auth != null && exists(/databases/$(database)/documents/invite/$(request.auth.token.email)) && request.auth.token.email_verified && request.auth.uid == userId;
}
// Items
// read, create - invited users
// update - admins, moders
// delete - admins
match /items/{itemId} {
allow read, create: if isInvited();
allow update: if isModer() || isAdmin();
allow delete : if isAdmin();
}
// Items Links
// read, create - invited users
// update - admins, moders
// delete - admins
match /items_links/{linkId} {
allow read, create: if isInvited();
allow update: if isModer() || isAdmin();
allow delete : if isAdmin();
}
// Profile
// read, create - invited users
// update - self / admins
// delete - admins
match /profile/{userId} {
allow read, create: if isInvited();
allow update: if isUserSelf(userId) || isAdmin();
allow delete: if isAdmin();
}
// Admin Users
// crud - admins
match /users/{userId} {
allow read: if isAdmin() || isModer() && request.auth.uid == userId;
allow create, update, delete: if false;
}
// Invite user
// read - sended invites
// create - invited users
// update, delete - admins
match /invite/{email} {
allow read: if isInvited() && (email == request.auth.token.email || resource.data.invite == request.auth.uid);
allow create: if isInvited();
allow update, delete: if isAdmin();
}
}
}