firestore.rules
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
function isAdmin() {
return get(/databases/$(database)/documents/users/$(request.auth.uid)).data.isAdmin == true
}
function isModerator() {
return get(/databases/$(database)/documents/users/$(request.auth.uid)).data.isModerator == true
}
function isUser(uid) {
return request.auth.uid == uid
}
function isPublished() {
return resource.data.published == true
}
function isOwner() {
return resource.data.owner_id == request.auth.uid
}
// anybody can read the photos but only admin can write
match /photos/{photoId} {
// allow read: if request.auth.uid != null;
// allow read: if isModerator() || isAdmin() || resource.data.moderated != null;
allow read: if isOwner() || isPublished() || isModerator()
// allow create: if request.auth.uid != null;
allow create: if true;
allow update: if isModerator();
allow delete: if isOwner();
// allow update: if resource.data.owner_id == request.auth.uid && resource.data.moderated=null
allow write: if isAdmin();
}
// anybody can create a feedback but only login user can update
// only moderator or admin can read and update the feedback
match /feedbacks/{feedback} {
allow create: if true;
allow read: if isModerator() || isAdmin();
allow update: if isModerator() || isAdmin();
//allow update: if resource.data.owner_id == request.auth.uid
// allow delete: if isModerator() || isAdmin();
}
// data written by admin
match /users/{uid} {
allow read: if isAdmin() || isUser(uid);
allow write: if isUser(uid)
&& (!("isModerator" in request.resource.data) || request.resource.data.isModerator == resource.data.isModerator)
&& (!("isAdmin" in request.resource.data) || request.resource.data.isAdmin == resource.data.isAdmin);
}
// Collection with system data. The Doc stats contains statistics.
match /sys/stats {
allow read: if true;
}
// some extra config
match /sys/config {
allow read: if true;
}
}
}