-
Notifications
You must be signed in to change notification settings - Fork 6
/
firestore.rules
96 lines (76 loc) · 3.87 KB
/
firestore.rules
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
// Note: CLAs and Addendums cannot be modified or deleted
rules_version = '2';
service cloud.firestore {
// Global checks
// checks if a user is signed in
function isSignedIn(auth) {
return auth != null;
}
// checks whether the user has admin privileges or not
function isAdmin(auth) {
return 'admin' in auth.token && auth.token.admin == true;
}
// Agreements
// Get an agreement starting from the ID
function getAgreement(database, agreementId) {
return get(/databases/$(database)/documents/agreements/$(agreementId)).data;
}
// Check if the authenticated users is the signer of an agreement
function isSigner(auth, agreement) {
return auth.token.email == agreement.signer.value
}
// Check if the authenticated users can manage an agreement
function isAgreementManager(auth, database, agreementId) {
return auth.token.email in get(/databases/$(database)/documents/whitelists/$(agreementId)).data.managers;
}
// Whitelists
// Check if a user is listed as a manager in a whitelist item
function isWhitelistManager(auth, whitelist) {
return auth.token.email in whitelist.managers;
}
// AppUsers
// AppUser documents are stored with the same uid as the logged in user,
// check that those match
function isAccountOwner(auth, userId) {
return auth.uid == userId
}
match /databases/{database}/documents {
match /agreements/{agreementId} {
allow read: if isSignedIn(request.auth) && (isSigner(request.auth, resource.data) || isAdmin(request.auth) || isAgreementManager(request.auth, database, agreementId));
allow create: if isSignedIn(request.auth) && isSigner(request.auth, request.resource.data);
allow update: if false;
allow delete: if false;
}
match /addendums/{addendumId} {
allow read: if isSignedIn(request.auth) && (isAdmin(request.auth) || isSigner(request.auth, getAgreement(database, resource.data.agreementId)) || isAgreementManager(request.auth, database, resource.data.agreementId));
allow create: if isSignedIn(request.auth) && (isSigner(request.auth, getAgreement(database, request.resource.data.agreementId)) || isAgreementManager(request.auth, database, request.resource.data.agreementId));
allow update: if false;
allow delete: if false;
}
match /whitelists/{whitelistId} {
allow read: if isSignedIn(request.auth) && (isAdmin(request.auth) || isWhitelistManager(request.auth, resource.data));
}
match /appUsers/{uid} {
allow read: if isSignedIn(request.auth) && isAdmin(request.auth);
match /accounts/{accountId} {
allow read: if isSignedIn(request.auth) && (isAdmin(request.auth) || isAccountOwner(request.auth, uid));
allow delete: if isSignedIn(request.auth) && isAccountOwner(request.auth, uid);
// Only functions can write (verified) accounts
}
}
match /domains/{domainID} {
allow read: if isSignedIn(request.auth) && isAdmin(request.auth);
allow create: if isSignedIn(request.auth) && isAdmin(request.auth);
allow update: if isSignedIn(request.auth) && isAdmin(request.auth);
}
match /{path=**}/accounts/{accountId} {
allow read: if isSignedIn(request.auth) && (isAdmin(request.auth) || isAccountOwner(request.auth, uid));
}
match /{path=**}/appUsers/{uid} {
allow read: if isSignedIn(request.auth) && (isAdmin(request.auth) || isAccountOwner(request.auth, uid));
}
}
}
// NOTES
// - during read operations the current entry in the DB is stored in the "resource" variable
// - during write operations the current entry in the DB is stored in the "request.resource" variable