-
Notifications
You must be signed in to change notification settings - Fork 2
Expand file tree
/
Copy pathfirestore.rules
More file actions
89 lines (77 loc) · 3.04 KB
/
Copy pathfirestore.rules
File metadata and controls
89 lines (77 loc) · 3.04 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
// Helper function to check if user is authenticated
function isAuthenticated() {
return request.auth != null;
}
// Helper function to check if user owns the document
function isOwner(userId) {
return isAuthenticated() && request.auth.uid == userId;
}
// App artifacts collection (main app data)
match /artifacts/{appId} {
// Users collection - each user can only access their own data
match /users/{userId}/{document=**} {
allow read, write: if isOwner(userId);
}
// Blog posts collection (shared across all users)
match /blog/{postId} {
// Anyone authenticated can read blog metadata
allow read: if isAuthenticated();
// No direct writes - posts are hardcoded
allow write: if false;
// Likes subcollection - track who liked what
match /likes/{likeUserId} {
allow read: if isAuthenticated();
allow create, delete: if isOwner(likeUserId);
allow update: if false;
}
// Comments subcollection
match /comments/{commentId} {
// Anyone authenticated can read comments
allow read: if isAuthenticated();
// Only authenticated users can create comments
allow create: if isAuthenticated()
&& request.resource.data.userId == request.auth.uid
&& request.resource.data.text is string
&& request.resource.data.text.size() > 0
&& request.resource.data.text.size() <= 500;
// Only comment owner can update/delete
allow update, delete: if isAuthenticated()
&& resource.data.userId == request.auth.uid;
}
}
// Community Posts - under artifacts/{appId}
match /community_posts/{postId} {
allow read: if true;
allow create: if isAuthenticated();
allow update: if isAuthenticated();
allow delete: if isAuthenticated() && resource.data.authorId == request.auth.uid;
// Comments subcollection
match /comments/{commentId} {
allow read: if true;
allow create: if isAuthenticated();
allow delete: if isAuthenticated() && resource.data.userId == request.auth.uid;
}
}
}
// Community Posts - public read, authenticated write (root level fallback)
match /community_posts/{postId} {
allow read: if true;
allow create: if isAuthenticated();
allow update: if isAuthenticated();
allow delete: if isAuthenticated() && resource.data.authorId == request.auth.uid;
// Comments subcollection
match /comments/{commentId} {
allow read: if true;
allow create: if isAuthenticated();
allow delete: if isAuthenticated() && resource.data.userId == request.auth.uid;
}
}
// Deny all other access by default
match /{document=**} {
allow read, write: if false;
}
}
}