-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathfirestore.rules
More file actions
76 lines (68 loc) · 3.14 KB
/
firestore.rules
File metadata and controls
76 lines (68 loc) · 3.14 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
// Helper function to check if user is authenticated
function isAuthenticated() {
return request.auth != null;
}
// Helper to check if user is accessing their own data
function isOwner(userId) {
return isAuthenticated() && request.auth.uid == userId;
}
// Users: stores FCM tokens and device-level settings
// Only the owner can read/write their own user document
match /users/{userId} {
allow read, write: if isOwner(userId);
}
// Profiles: Users can read all profiles (leaderboards), write only their own
match /profiles/{userId} {
allow read: if isAuthenticated();
allow write: if isOwner(userId);
}
// Challenges:
// - Read: Any authenticated user (browse/join)
// - Create: Any authenticated user
// - Update/Delete: Only the creator
match /challenges/{challengeId} {
allow read: if isAuthenticated();
allow create: if isAuthenticated();
allow update, delete: if isAuthenticated() && resource.data.creator_id == request.auth.uid;
}
// Participants:
// - Read: Any authenticated user (see who is in a challenge)
// - Create: User can only create their own participant entry
// - Update: User can only update their own participant entry
// - Delete: User can only remove themselves
match /challenge_participants/{participantId} {
allow read: if isAuthenticated();
allow create: if isAuthenticated() && request.resource.data.user_id == request.auth.uid;
allow update, delete: if isAuthenticated() && resource.data.user_id == request.auth.uid;
}
// Daily Logs:
// - Read: Any authenticated user (social feed)
// - Create: User can only create logs for themselves
// - Update: User can only update their own logs (e.g. editing a check-in)
// Note: the check-missed cron updates logs server-side via Admin SDK (bypasses rules)
match /daily_logs/{logId} {
allow read: if isAuthenticated();
allow create: if isAuthenticated() && request.resource.data.user_id == request.auth.uid;
allow update: if isAuthenticated() && resource.data.user_id == request.auth.uid;
}
// Conversations:
// - Read/Update: Only participants
// - Create: Any authenticated user (as long as they include themselves)
match /conversations/{conversationId} {
allow read, update: if isAuthenticated() && request.auth.uid in resource.data.participants;
allow create: if isAuthenticated() && request.auth.uid in request.resource.data.participants;
// Messages within a conversation:
// - Read/Create: Participants of the parent conversation only
match /messages/{messageId} {
allow read: if isAuthenticated()
&& request.auth.uid in get(/databases/$(database)/documents/conversations/$(conversationId)).data.participants;
allow create: if isAuthenticated()
&& request.auth.uid in get(/databases/$(database)/documents/conversations/$(conversationId)).data.participants
&& request.resource.data.senderId == request.auth.uid;
}
}
}
}