-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathfirestore.rules
111 lines (96 loc) · 4.4 KB
/
firestore.rules
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
// Note that request.resource.data contains the incoming data update while
// resource.data is a map of all of the fields and values stored in the
// document.
// Check if a user is signed in
function isSignedIn() {
return request.auth != null;
}
// Returns true if the current user is authenticated and is an admin user
function isAdmin() {
let isAdmin = get(/databases/$(database)/documents/users/$(request.auth.uid)).data.admin;
return isSignedIn() && isAdmin;
}
match /sensors/{sensorDoc} {
// All users can read from the sensor docs (the graph component of the
// home page uses these docs)
allow read: if true;
// Admins are allowed to write to the sensor docs from the manage sensors
// page
allow write: if isAdmin();
match /readings/{reading} {
// Admins are allowed to read data for downloading it
allow read: if isAdmin();
// Only cloud functions can modify data
// Deletes triggered by an admin user are still handled by cloud functions
allow write: if false;
}
}
// Only allow a user to be changed to an admin if the current user is an admin
// Only allow changes to other fields if user is modifying their own user
// doc, or if the user is an admin user, who can modify all accounts
match /users/{userId} {
function isCurrentUserDoc() {
return isSignedIn() && request.auth.uid == userId;
}
// For a valid user doc update for a non-admin user, they must be signed in,
// be changing their own doc, and not change the admin field to true
function validNonAdminUpdate() {
return isCurrentUserDoc() && request.resource.data.admin == false;
}
allow read: if isAdmin() || isCurrentUserDoc();
allow write: if isAdmin() || validNonAdminUpdate();
}
// Used to display values on live webpage
match /current-reading/{readings} {
allow read: if true;
allow write: if false;
}
// Used for data deletion
match /deletion {
// Used for deletion of sensor readings
match /readings {
// Only admins and the Cloud Functions are allowed to modify readings
allow read, write: if isAdmin();
}
// Used for deletion of user data
match /users {
// Check that a field is not being updated.
function notUpdated(newData, oldData, field) {
return !(field in newData) || oldData[field] == newData[field]
}
// Verify that (1) user is signed in, (2) the only modified field is
// userDocs, (3) the userDocs array is increased in size by only 1,
// and (4) the added item from the userDocs array is the user's uid.
function addUidToUserDocs(newData, oldData) {
let firebaseUsersNotUpdated = notUpdated(newData, oldData, 'firebaseUsers');
let oneItemAdded = newData['userDocs'].size() == oldData['userDocs'].size() + 1;
let addedUid = newData['userDocs'].removeAll(oldData['userDocs'])[0] == request.auth.uid;
return isSignedIn()
&& firebaseUsersNotUpdated
&& oneItemAdded
&& addedUid;
}
// Verify that (1) user is signed in, (2) the only modified field is
// firebaseUsers, (3) the firebaseUsers array is reduced in size by only 1,
// and (4) the removed item from the firebaseUsers array is the user's uid.
function removeUidFromFirebaseUsers(newData, oldData) {
let userDocsNotUpdated = notUpdated(newData, oldData, 'userDocs');
let oneItemRemoved = newData['firebaseUsers'].size() == oldData['firebaseUsers'].size() - 1;
let removedUid = oldData['firebaseUsers'].removeAll(newData['firebaseUsers'])[0] == request.auth.uid;
return isSignedIn()
&& userDocsNotUpdated
&& oneItemRemoved
&& removedUid;
}
// Admins can mark an account for deletion. General users can only mark
// their own account for deletion.
allow write: if isAdmin() || addUidToUserDocs(request.resource.data, resource.data) || removeUidFromFirebaseUsers(request.resource.data, resource.data);
// Only the Cloud Functions can read the users document
allow read: if false;
}
}
}
}