firestore.rules
service cloud.firestore {
match /databases/{database}/documents {
// Custom functions
function signedIn() {
return request.auth != null;
}
function isAdmin() {
return signedIn() &&
'ADMIN'in get(/databases/$(database)/documents/users/$(request.auth.uid)).data.roles.values();
}
function isOwner() {
return signedIn() && request.auth.uid == resource.data.userId;
}
function isSelf() {
return signedIn() && request.auth.uid == resource.id;
}
// Rules
match /users/{userId} {
allow list: if isAdmin();
allow get, update, delete: if isSelf() || isAdmin();
allow create: if signedIn();
}
match /accounts/{accountId} {
allow read, list: if signedIn() && isOwner();
allow create: if signedIn() && request.resource.data.userId == request.auth.uid
allow update, delete: if signedIn() && inOwnerList();
}
match /messages/{messageId} {
allow read: if signedIn();
allow create: if signedIn() && request.resource.data.userId == request.auth.uid
allow update, delete: if signedIn() && isOwner();
}
}
}