-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathfirestore.rules
100 lines (88 loc) · 3.92 KB
/
firestore.rules
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
function userCanDM() {
return request.auth != null &&
get(/databases/$(database)/documents/users/$(request.auth.uid))
.data.canDM == true;
}
match /runs/{runId} {
// Only users that have the permission can create runs
allow create: if userCanDM();
// Anyone can see the runs
allow read: if true;
// Only run's admin, DMs and reviewers can write
allow write: if isRunAdminOrDM() || isUserReviewer();
// Nobody can delete a run (use deleteRun cloud function for a soft delete)
allow delete: if false;
function isRunDM() {
let data = get(/databases/$(database)/documents/runs/$(runId)).data;
return (data.keys().hasAll(['dms']) && request.auth.uid in data.dms)
|| (data.keys().hasAll(['dm']) && request.auth.uid == data.dm)
}
function isRunAdmin() {
let data = get(/databases/$(database)/documents/runs/$(runId)).data;
return data.keys().hasAll(['admin']) && data.admin == request.auth.uid
}
function isRunAdminOrDM() {
let data = get(/databases/$(database)/documents/runs/$(runId)).data;
return (data.keys().hasAll(['admin']) && data.admin == request.auth.uid)
|| (data.keys().hasAll(['dms']) && request.auth.uid in data.dms)
|| (data.keys().hasAll(['dm']) && request.auth.uid == data.dm)
}
function isRunDMOrPlayer() {
let data = get(/databases/$(database)/documents/runs/$(runId)).data;
return (data.keys().hasAll(['dms']) && request.auth.uid in data.dms)
|| (data.keys().hasAll(['dm']) && request.auth.uid == data.dm)
|| request.auth.uid in data.players
}
function isUserReviewer() {
let data = get(/databases/$(database)/documents/users/$(request.auth.uid)).data;
return data.keys().hasAll(['isReviewer']) && data.isReviewer == true
}
match /steps/{stepId} {
// Anyone can see the steps
allow read: if true;
// Only the run's DM can create steps, or a reviewer
allow create: if request.auth != null && (isRunDM() || isUserReviewer());
// Only the run's DM or players can update steps, or a reviewer
allow update: if request.auth != null && (isRunDMOrPlayer() || isUserReviewer());
// Nobody can delete a step
allow delete: if false;
}
match /invites/{inviteId} {
// Only the run's admin or a reviewer can interact with invitations
allow read, write: if request.auth != null && (isRunAdmin() || isUserReviewer());
}
}
match /users/{userId} {
// Anyone can view user profiles
allow read: if true;
// Authenticated users can write their own profile
allow write: if request.auth != null
&& request.resource.data.id == request.auth.uid;
// Nobody can delete a user profile
allow delete: if false;
function isUserReviewer() {
let data = get(/databases/$(database)/documents/users/$(userId)).data;
return data.keys().hasAll(['isReviewer']) && data.isReviewer == true
}
match /runs/{runId} {
function isRunAdmin() {
let data = get(/databases/$(database)/documents/runs/$(runId)).data;
return data.keys().hasAll(['admin']) && data.admin == request.auth.uid
}
// Anyone can read the run states
allow read: if true;
// Users can read/write their own run states,
// or the run's admin, or any reviewer
allow create, write, delete: if request.auth != null
&& (
request.auth.uid == userId
|| isRunAdmin()
|| isUserReviewer()
);
}
}
}
}