-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathfirestore.rules
More file actions
84 lines (68 loc) · 3.26 KB
/
firestore.rules
File metadata and controls
84 lines (68 loc) · 3.26 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
// Helper function to check if user is authenticated
function isAuthenticated() {
return request.auth != null;
}
// Helper function to get user's role from their document
function getUserRole() {
return get(/databases/$(database)/documents/users/$(request.auth.uid)).data.role;
}
// Helper function to check if user is an admin
function isAdmin() {
return isAuthenticated() && getUserRole() == 'admin';
}
// Helper function to check if user is the document owner
function isOwner(userId) {
return isAuthenticated() && request.auth.uid == userId;
}
// Users collection rules
match /users/{userId} {
// Users can read their own document
// Admins can read any user document (needed for check-in to get user names)
allow read: if isOwner(userId) || isAdmin();
// Users can only create their own document during signup
// Role must be either 'student' or 'admin'
allow create: if isOwner(userId)
&& (request.resource.data.role == 'student' || request.resource.data.role == 'admin')
&& request.resource.data.keys().hasAll(['uid', 'email', 'name', 'role', 'createdAt', 'updatedAt']);
// Users can update their own document but cannot change their role (Requirement 8.4)
// Admins can update any user document including role
allow update: if (isOwner(userId) && request.resource.data.role == resource.data.role)
|| isAdmin();
// Only admins can delete user documents
allow delete: if isAdmin();
}
// Events collection rules
match /events/{eventId} {
// All authenticated users can read events
allow read: if isAuthenticated();
// Only admins can create events
allow create: if isAdmin()
&& request.resource.data.keys().hasAll(['title', 'description', 'date', 'location', 'createdBy', 'rsvps', 'checkedIn', 'createdAt', 'updatedAt'])
&& request.resource.data.createdBy == request.auth.uid;
// Admins can update events they created
// Any authenticated user can update rsvps array (for RSVP functionality)
allow update: if isAuthenticated() && (
// Admin updating their own event
(isAdmin() && resource.data.createdBy == request.auth.uid)
// Any user updating only the rsvps array (adding/removing their own ID)
|| (request.resource.data.diff(resource.data).affectedKeys().hasOnly(['rsvps', 'updatedAt']))
// Admin updating checkedIn array (for check-in functionality)
|| (isAdmin() && request.resource.data.diff(resource.data).affectedKeys().hasOnly(['checkedIn', 'updatedAt']))
);
// Only admins can delete events they created
allow delete: if isAdmin() && resource.data.createdBy == request.auth.uid;
}
// Notifications collection rules (for push notification records)
match /notifications/{notificationId} {
// Users can read notifications sent to them
allow read: if isAuthenticated();
// Only admins can create notifications
allow create: if isAdmin();
// No updates or deletes allowed
allow update, delete: if false;
}
}
}