-
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathfirestore.rules
91 lines (73 loc) · 3.29 KB
/
firestore.rules
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
rules_version = '2';
service cloud.firestore {
function hasRoles(roles) {
return request.auth.token.role in roles
}
function hasId(resource) {
return resource.id == request.auth.uid
}
function authenticated() {
return request.auth.token != null;
}
function hasPermission(module, permission) {
return authenticated() && request.auth.token.permissions.get([module, permission], false) == true;
}
function storageItemPublicRead() {
return 'metadata' in resource.data && resource.data.metadata.keys().hasAny(['permissions_public_read']) && resource.data.metadata['permissions_public_read'] == 'true';
}
function storageItemPublicWrite() {
return 'metadata' in resource.data && resource.data.metadata.keys().hasAny(['permissions_public_write']) && resource.data.metadata['permissions_public_write'] == 'true';
}
function storageItemRoleRead() {
return 'metadata' in resource.data && resource.data.metadata.keys().hasAny(['permissions_roles_' + request.auth.token.role + '_read']) && resource.data.metadata['permissions_roles_' + request.auth.token.role + '_read'] == 'true';
}
function storageItemRoleWrite() {
return 'metadata' in resource.data && resource.data.metadata.keys().hasAny(['permissions_roles_' + request.auth.token.role + '_write']) && resource.data.metadata['permissions_roles_' + request.auth.token.role + '_write'] == 'true';
}
function storageItemUserRead() {
return 'metadata' in resource.data && resource.data.metadata.keys().hasAny(['permissions_users_' + request.auth.uid + '_read']) && resource.data.metadata['permissions_users_' + request.auth.uid + '_read'] == 'true';
}
function storageItemUserWrite() {
return 'metadata' in resource.data && resource.data.metadata.keys().hasAny(['permissions_users_' + request.auth.uid + '_write']) && resource.data.metadata['permissions_users_' + request.auth.uid + '_write'] == 'true';
}
match /databases/{database}/documents {
match /{module}/{item=**} {
allow get: if hasPermission(module, 'get') || hasId(resource);
allow list: if hasPermission(module, 'list');
allow create: if hasPermission(module, 'create');
allow update: if hasPermission(module, 'update');
allow delete: if hasPermission(module, 'delete');
}
match /settings/{item} {
allow read: if true;
allow write: if admin();
}
match /posts/{item} {
allow read: if resource.data.active || admin();
allow write: if admin();
}
match /pages/{item=**} {
allow read: if true;
allow write: if admin();
}
match /inquiries/{item} {
allow read: if admin();
allow write: if true;
}
match /automatic-emails/{item=**} {
allow read, write: if admin();
}
match /sent-emails/{item=**} {
allow read, write: if admin();
}
match /storage/{item=**} {
allow read: if storageItemPublicRead() || storageItemPublicWrite() || storageItemRoleRead() || storageItemRoleWrite() || storageItemUserRead() || storageItemUserWrite();
allow write: if storageItemPublicWrite() || storageItemRoleWrite() || storageItemUserWrite();
allow create: if hasPermission('storage', 'create');
}
match /_search/{item=**} {
allow read: if hasPermission('search', 'list');
allow write: if false;
}
}
}