Untitled
unknown
plain_text
3 years ago
3.8 kB
21
Indexable
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /Organizations/{orgID} {
allow get: if getRole(database, orgID, request.auth.uid) in ['Admin', 'Editor', 'Viewer'];
allow list, write, delete: if false;
// Only allow a user to read/write/delete the documents in the 'Materials' collection
// if their uid is equal to the orgID
match /Materials/{materialID} {
// Allows read if the resource is public or the user is an org admin, editor, or reader
allow read: if resource.data.visibility == 'public' || getRole(database, orgID, request.auth.uid) in ['Admin', 'Editor', 'Viewer'];
allow create: if getRole(database, orgID, request.auth.uid) in ['Admin', 'Editor'] &&
getMaterial(database, orgID, materialID) == null &&
(request.resource.data.glyphIDs == null ||
request.resource.data.glyphIDs.size() == 0);
// Allows writes if the user is an org admin or editor, and if glyphIDs are included in the request, the org must own them all
allow update: if getRole(database, orgID, request.auth.uid) in ['Admin', 'Editor'] &&
getMaterial(database, orgID, materialID) != null &&
(request.resource.data.glyphIDs == null ||
request.resource.data.glyphIDs.size() == 0 ||
request.resource.data.glyphIDs.hasOnly(getOrgGlyphIDs(database, orgID)));
allow delete: if getRole(database, orgID, request.auth.uid) in ['Admin', 'Editor'] && getMaterial(database, orgID, materialID) != null;
}
// Only allow a user to read/write/delete the documents in the 'Glyphs' collection
// if their uid is equal to the orgID
match /Glyphs/{glyphID} {
allow get: if true; // if getRole(database, orgID, request.auth.uid) in ['Admin', 'Editor', 'Viewer'];
allow list: if getRole(database, orgID, request.auth.uid) in ['Admin', 'Editor', 'Viewer'];
allow create: if false; // Created in via admin sdk
allow update, delete: if getRole(database, orgID, request.auth.uid) in ['Admin', 'Editor'] && getGlyph(database, orgID, glyphID) != null;
}
// Only organiation admin can manage roles
match /Roles/{roleID} {
allow read: if roleID == request.auth.uid || getRole(database, orgID, request.auth.uid) == 'Admin';
allow write, delete: if false; // should be serverside only
}
// Only organiation admin can manage roles
match /Users/{userID} {
allow read: if userID == request.auth.uid || getRole(database, orgID, request.auth.uid) == 'Admin';
allow write, delete: if false;
}
}
match /GlyphHashes/{glyphHashID} {
// Allow read access to a specific document
allow get: if true;
// Disallow listing all documents in the collection & writing/deleting
allow list, write, delete: if false;
}
}
// Allow users to fetch their own role via collectionGroup query
match /{document=**}/Roles/{roleID} {
allow read: if request.auth.uid == resource.data.id;
allow write, delete: if false;
}
function getRole(db, orgId, userId) {
return get(/databases/$(db)/documents/Organizations/$(orgId)/Roles/$(userId)).data.role;
}
function getOrgGlyphIDs(db, orgId) {
return get(/databases/$(db)/documents/Organizations/$(orgId)).data.allGlyphIDs;
}
function getGlyph(db, organizationId, glyphId) {
return get(/databases/$(db)/documents/Organizations/$(organizationId)/Glyphs/$(glyphId));
}
function getMaterial(db, organizationId, materialId) {
return get(/databases/$(db)/documents/Organizations/$(organizationId)/Materials/$(materialId));
}
}
Editor is loading...