Merge pull request #1 from AXeL-dev/enforce-user-security

Enforce user security

Author: AXeL-dev

README.md

@@ -156,20 +156,72 @@ npm install --save ng-fire-admin
 
 **7**. In order to protect your database & storage data, you must set the following rules in your firebase console:
 
+<details>
+  <summary>How to setup your firebase project?</summary>
+  
+  - Start by adding a new project in your firebase console.
+
+  - Enable Authentication by email & password.
+
+  - Add a database to your project.
+
+  - Add a storage.
+</details>
+
 **Firestore Database rules:**
 
 ```javascript
 rules_version = '2';
 service cloud.firestore {
   match /databases/{database}/documents {
-    match /{collection}/{document=**} {
-      allow read: if collection != 'users' || request.auth != null;
-      allow write: if request.auth != null;
+    match /{collection}/{document}/{path=**} {
+      allow read: if isPublic(collection, document) || isAdmin();
+      allow write: if registrationEnabled(collection) || isAdmin() || (isEditor() && isPublic(collection, document));
+    }
+    function isPublic(collection, document) {
+      return collection != 'config' && (collection != 'users' || isOwner(document));
+    }
+    function isSignedIn() {
+      return request.auth != null;
+    }
+    function hasRole(role) {
+      return isSignedIn() && get(/databases/$(database)/documents/users/$(request.auth.uid)).data.role == role;
+    }
+    function isAdmin() {
+      return hasRole('admin');
+    }
+    function isEditor() {
+      return hasRole('editor');
+    }
+    function isOwner(ownerId) {
+      return isSignedIn() && request.auth.uid == ownerId;
+    }
+    function registrationEnabled(collection) {
+      return collection == 'users' && (
+        !exists(/databases/$(database)/documents/config/registration) ||
+        get(/databases/$(database)/documents/config/registration).data.enabled
+      );
     }
   }
 }
 ```
 
+<details>
+  <summary>More basic database rules? (not recommended)</summary>
+  
+  ```javascript
+    rules_version = '2';
+    service cloud.firestore {
+      match /databases/{database}/documents {
+        match /{collection}/{document=**} {
+          allow read: if collection != 'users' || request.auth != null;
+          allow write: if request.auth != null;
+        }
+      }
+    }
+  ```
+</details>
+
 **Storage rules:**
 
 ```javascript

projects/fire-admin/src/lib/components/dashboard/dashboard.component.html

@@ -44,7 +44,7 @@ <h6 class="stats-small__value count my-3">{{ statistics?.comments || 0 }}</h6>
         </div>
       </div>
     </div>
-    <div class="col-lg col-md-4 col-sm-6 mb-4">
+    <div class="col-lg col-md-4 col-sm-6 mb-4" *ngIf="currentUser?.isAdmin()">
       <div class="stats-small stats-small--1 card card-small">
         <div class="card-body p-0 d-flex">
           <div class="d-flex flex-column m-auto">
@@ -56,7 +56,7 @@ <h6 class="stats-small__value count my-3">{{ statistics?.users || 0 }}</h6>
         </div>
       </div>
     </div>
-    <div class="col-lg col-md-4 col-sm-12 mb-4">
+    <div class="col-lg col-md-4 mb-4" [ngClass]="currentUser?.isAdmin() ? 'col-sm-12' : 'col-sm-6'">
       <div class="stats-small stats-small--1 card card-small">
         <div class="card-body p-0 d-flex">
           <div class="d-flex flex-column m-auto">

projects/fire-admin/src/lib/components/dashboard/dashboard.component.ts

@@ -13,6 +13,7 @@ import { map, takeUntil } from 'rxjs/operators';
 import { NavigationService } from '../../services/navigation.service';
 import { initPieChart } from '../../helpers/charts.helper';
 import { I18nService } from '../../services/i18n.service';
+import { CurrentUserService } from '../../services/current-user.service';
 
 type PostByStatus = {
   label: string,
@@ -47,6 +48,7 @@ export class DashboardComponent implements OnInit, OnDestroy {
     private categories: CategoriesService,
     private settings: SettingsService,
     public navigation: NavigationService,
+    public currentUser: CurrentUserService,
     private i18n: I18nService
   ) { }
 
@@ -88,7 +90,9 @@ export class DashboardComponent implements OnInit, OnDestroy {
     this.statistics.posts = await this.posts.countAll();
     this.statistics.pages = await this.pages.countAll();
     this.statistics.comments = 0; // ToDo
-    this.statistics.users = await this.users.countAll();
+    if (this.currentUser.isAdmin()) {
+      this.statistics.users = await this.users.countAll();
+    }
     this.statistics.translations = await this.translations.countAll();
   }
 

projects/fire-admin/src/lib/components/pages/list/pages-list.component.html

@@ -20,7 +20,7 @@ <h3 class="page-title">{{ 'List' | translate }}</h3>
                 <th>{{ 'PageLanguage' | translate }}</th>
                 <th>{{ 'PageCreatedAt' | translate }}</th>
                 <th>{{ 'PageUpdatedAt' | translate }}</th>
-                <th>{{ 'PageAuthor' | translate }}</th>
+                <th *ngIf="currentUser?.isAdmin()">{{ 'PageAuthor' | translate }}</th>
                 <th class="text-right hide-sort-icons">{{ 'Actions' | translate }}</th>
               </tr>
             </thead>
@@ -38,7 +38,7 @@ <h3 class="page-title">{{ 'List' | translate }}</h3>
                 <td>{{ allLanguages[page.lang].label | translate }}</td>
                 <td>{{ page.createdAt | datetime }}</td>
                 <td>{{ page.updatedAt | datetime }}</td>
-                <td>
+                <td *ngIf="currentUser?.isAdmin()">
                   <a *ngIf="page.createdBy" [routerLink]="navigation.getRouterLink('users', 'profile', page.createdBy)">
                     {{ page.author | async }}
                   </a>

projects/fire-admin/src/lib/components/pages/list/pages-list.component.ts

@@ -2,7 +2,7 @@ import { Component, OnInit, ViewChild, OnDestroy } from '@angular/core';
 import { DataTableDirective } from 'angular-datatables';
 import { Subject, Subscription, Observable } from 'rxjs';
 import { map, takeUntil } from 'rxjs/operators';
-import { refreshDataTable, clearDataTable } from '../../../helpers/datatables.helper';
+import { refreshDataTable } from '../../../helpers/datatables.helper';
 import { AlertService } from '../../../services/alert.service';
 import { NavigationService } from '../../../services/navigation.service';
 import { I18nService } from '../../../services/i18n.service';
@@ -11,6 +11,7 @@ import { SettingsService } from '../../../services/settings.service';
 import { Language } from '../../../models/language.model';
 import { PagesService } from '../../../services/collections/pages.service';
 import { Page } from '../../../models/collections/page.model';
+import { CurrentUserService } from '../../../services/current-user.service';
 
 @Component({
   selector: 'fa-pages-list',
@@ -38,6 +39,7 @@ export class PagesListComponent implements OnInit, OnDestroy {
     private i18n: I18nService,
     private route: ActivatedRoute,
     public navigation: NavigationService,
+    public currentUser: CurrentUserService,
     private settings: SettingsService
   ) { }
 
@@ -90,8 +92,6 @@ export class PagesListComponent implements OnInit, OnDestroy {
       translationId: page.translationId,
       translations: page.translations
     }).then(() => {
-      clearDataTable(this.dataTableElement);
-      this.isLoading = true;
       this.alert.success(this.i18n.get('PageDeleted', { title: page.title }), false, 5000);
     }).catch((error: Error) => {
       this.alert.error(error.message);

projects/fire-admin/src/lib/components/posts/categories/posts-categories.component.ts

@@ -56,7 +56,7 @@ export class PostsCategoriesComponent implements OnInit, OnDestroy {
       this.allCategories.subscribe((categories: Category[]) => {
         // console.log(categories);
         // Refresh datatable on data change
-        refreshDataTable(this.dataTableElement, this.dataTableTrigger);
+        refreshDataTable(this.dataTableElement, this.dataTableTrigger, true);
       })
     );
   }

projects/fire-admin/src/lib/components/posts/list/posts-list.component.html

@@ -23,7 +23,7 @@ <h3 class="page-title">{{ 'List' | translate }}</h3>
                 <th>{{ 'Categories' | translate }}</th>
                 <th>{{ 'PostCreatedAt' | translate }}</th>
                 <th>{{ 'PostUpdatedAt' | translate }}</th>
-                <th>{{ 'PostAuthor' | translate }}</th>
+                <th *ngIf="currentUser?.isAdmin()">{{ 'PostAuthor' | translate }}</th>
                 <th class="text-right hide-sort-icons">{{ 'Actions' | translate }}</th>
               </tr>
             </thead>
@@ -51,7 +51,7 @@ <h3 class="page-title">{{ 'List' | translate }}</h3>
                 </td>
                 <td>{{ post.createdAt | datetime }}</td>
                 <td>{{ post.updatedAt | datetime }}</td>
-                <td>
+                <td *ngIf="currentUser?.isAdmin()">
                   <a *ngIf="post.createdBy" [routerLink]="navigation.getRouterLink('users', 'profile', post.createdBy)">
                     {{ post.author | async }}
                   </a>

projects/fire-admin/src/lib/components/posts/list/posts-list.component.ts

@@ -4,7 +4,7 @@ import { Subject, Subscription, Observable } from 'rxjs';
 import { Post, PostStatus } from '../../../models/collections/post.model';
 import { PostsService } from '../../../services/collections/posts.service';
 import { map, takeUntil } from 'rxjs/operators';
-import { refreshDataTable, clearDataTable } from '../../../helpers/datatables.helper';
+import { refreshDataTable } from '../../../helpers/datatables.helper';
 import { AlertService } from '../../../services/alert.service';
 import { NavigationService } from '../../../services/navigation.service';
 import { I18nService } from '../../../services/i18n.service';
@@ -13,6 +13,7 @@ import { CategoriesService } from '../../../services/collections/categories.serv
 import { ActivatedRoute } from '@angular/router';
 import { SettingsService } from '../../../services/settings.service';
 import { Language } from '../../../models/language.model';
+import { CurrentUserService } from '../../../services/current-user.service';
 
 @Component({
   selector: 'fa-posts-list',
@@ -43,6 +44,7 @@ export class PostsListComponent implements OnInit, OnDestroy {
     private i18n: I18nService,
     private route: ActivatedRoute,
     public navigation: NavigationService,
+    public currentUser: CurrentUserService,
     private settings: SettingsService
   ) { }
 
@@ -136,8 +138,6 @@ export class PostsListComponent implements OnInit, OnDestroy {
       translationId: post.translationId,
       translations: post.translations
     }).then(() => {
-      clearDataTable(this.dataTableElement);
-      this.isLoading = true;
       this.alert.success(this.i18n.get('PostDeleted', { title: post.title }), false, 5000);
     }).catch((error: Error) => {
       this.alert.error(error.message);

projects/fire-admin/src/lib/components/translations/translations.component.ts

@@ -53,7 +53,7 @@ export class TranslationsComponent implements OnInit, OnDestroy, AfterViewInit {
       this.allTranslations.subscribe((translations: TranslationData[]) => {
         // console.log(translations);
         // Refresh datatable on data change
-        refreshDataTable(this.dataTableElement, this.dataTableTrigger);
+        refreshDataTable(this.dataTableElement, this.dataTableTrigger, true);
       })
     );
   }

projects/fire-admin/src/lib/components/users/list/users-list.component.html

@@ -44,9 +44,7 @@ <h3 class="page-title">{{ 'List' | translate }}</h3>
                 <td>{{ user.updatedAt | datetime }}</td>
                 <td>
                   <a *ngIf="user.createdBy" [routerLink]="navigation.getRouterLink('users', 'profile', user.createdBy)">
-                    <span *ngIf="user.creator | async as creator">
-                      {{ creator.firstName + ' ' + creator.lastName }}
-                    </span>
+                    <span *ngIf="user.creator | async as creator">{{ creator }}</span>
                   </a>
                 </td>
                 <td class="text-right">