-
Notifications
You must be signed in to change notification settings - Fork 14
/
firestore.rules
64 lines (53 loc) · 3.05 KB
/
firestore.rules
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /books/{book} {
function getBook() {
return get(/databases/$(database)/documents/books/$(book)).data;
}
function bookIsEditable(bookDoc) {
return request.auth != null && request.auth.uid in bookDoc.uids;
}
allow read: if true;
allow create: if request.auth != null;
// Books can be updated if the current user has editing rights and either the updated data's published flag is false or the user's publisher flag is set to true.
allow update: if (bookIsEditable(resource.data) || request.auth.uid in resource.data.readuids) && (request.resource.data.published == false || request.auth.token.publisher == true);
allow delete: if bookIsEditable(resource.data);
match /editions/{edition} {
function getEdition() {
return get(/databases/$(database)/documents/books/$(book)/editions/$(edition)).data
}
function editionIsEditable(editionDoc) {
return request.auth != null && (request.auth.uid in editionDoc.uids || bookIsEditable(getBook()))
}
// Editions can be read if they are published or the user has permissions to edit the edition or book.
allow read: if true;
// Anyone with book permissions can create or delete editions.
allow create: if bookIsEditable(getBook());
allow delete: if bookIsEditable(getBook());
// Anyone with book or edition permissions can edit the edition, unless they are trying to modify the published status of the
// edition, in which case they are only allowed if they are a publisher.
allow update:
if request.auth != null &&
(editionIsEditable(resource.data) || (request.auth.uid in resource.data.chapteruids)) &&
(resource.data.published == request.resource.data.published || request.auth.token.publisher == true);
match /chapters/{chapter} {
// This is not entirely right: this gives permission to anyone who has any chapter level permissions to edit
// any chapter. This relies on the front end to enforce chapter level permissions. Boo Firebase security rules.
// The only way to make this more precise would be to denormalize permissions data, replicating it on the chapter document.
function chapterIsEditable(edition) {
return (request.auth != null && request.auth.uid in edition.chapteruids) || editionIsEditable(edition);
}
// Chapter text is readable if the book is published or the part or all of the edition is editable
allow read: if true;
// Only edition editors can create chapters.
allow create: if editionIsEditable(getEdition());
// Chapters can be edited by anyone with chapter, edition, or book level permissions.
allow update: if chapterIsEditable(getEdition());
// Only edition editors can delete chapters.
allow delete: if editionIsEditable(getEdition());
}
}
}
}
}