-
Notifications
You must be signed in to change notification settings - Fork 0
/
firestore.rules
77 lines (72 loc) · 3.73 KB
/
firestore.rules
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
// Note: operations are:
// read == [get, list]
// write == [create, update, delete]
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
// only users who have verified emails can edit lists and store data
function verifiedUser() {
return debug(request.auth) != null &&
debug(request.auth.uid) != null &&
debug(request.auth.token.email_verified);
}
// this collection stores all the global defaults for the app.
// only admins should have write privileges for this collection, so it should
// be done in the cloud console.
match /globalPreferences/{preferenceId=**} {
allow read;
}
// these documents should be created when a user first logs in after verifying their email
// the userchanged method should check for this and create the user doc.
match /users/{userId} {
allow read;
allow create, update: if request.auth.uid == userId;
// this subcollection holds list data, including additions to other lists, and
// state changes for all lists. The listId should correspond to the list.id
// of the collection it modifies. This data should be deep merged into the list data
// when a user requests a list.
match /lists/{listId=**} {
allow read: if request.auth.uid == userId;
allow write: if request.auth.uid == userId && verifiedUser();
}
match /states/{listId=**} {
allow read: if request.auth.uid == userId;
allow write: if request.auth.uid == userId && verifiedUser();
}
}
// this collection holds all the lists and list data. Soce this is a crowd-sourced app,
// any verified user should be able to modify any list, and any visitor to the site
// should be able to view any list.
match /lists/{listId} {
allow read; // anyone can read
allow list: if request.query.limit <= 12;
// allow delete: if false; // users can't delete anything. This line isn't necessary, though.
allow create, update: if debug(verifiedUser()); //&&
// request.resource.data.title is string && // the title of this list
// request.resource.data.description is string && // a description for this list
// request.resource.data.color is string && // the background color of the list card, or window color for the list view
// request.resource.data.stateGroup is path; // a group of states used for each list item in this list
// the listIitems subcolection holds all of a list's items.
match /listItems/{listItemId} {
allow read;
allow create, update: if verifiedUser();
// TODO: make sure we validate the array items
// request.resource.data.title is string && // the text of the list item
// request.resource.data.order is number && // the order of the item in the list
// request.resource.data.description is string; //the description of the list item
}
}
// the stateGroups collection holds all the possible states for list items. This is the core
// feature of Questlists. A listitem can have multiple states, so this is the overall
// colelction for those states. The states can be shared across all lists, to aid in the
// time needed to develop new lists, especially for wiki-style lists.
match /stateGroups/{stateGroupId} {
allow read;
allow create, update: if debug(verifiedUser()); // &&
// request.resource.data.name is string && // the name is the name by which this state group is mentioned
// request.resource.data.description is string && // the description for this group
// request.resource.data.states.toSet().size() > 0;
// TODO: validate array items for states
}
}
}