Add Firestore security rules with CD deployment

Dylan · claude · Dylan · commit 672fc408ad92 · 2026-04-19T15:09:55.000+01:00
Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/.firebaserc b/.firebaserc
@@ -0,0 +1,5 @@
+{
+  "projects": {
+    "default": "retrotools-284402"
+  }
+}
diff --git a/.github/workflows/CICD.yml b/.github/workflows/CICD.yml
@@ -54,3 +54,18 @@ jobs:
         run: gcloud auth configure-docker us-east1-docker.pkg.dev && docker push us-east1-docker.pkg.dev/${{ secrets.GCP_PROJECT }}/retrograde/retrograde:latest
       - name: Deploy new cloudrun revision
         run: gcloud run deploy retrotools --image us-east1-docker.pkg.dev/${{ secrets.GCP_PROJECT }}/retrograde/retrograde:latest --platform managed --region=us-east1 --project=${{ secrets.GCP_PROJECT }}
+
+  deploy-firestore-rules:
+    runs-on: ubuntu-latest
+    needs: ci
+    if: "!contains(github.event.head_commit.message, '[skip ci]') && github.ref == 'refs/heads/master'"
+    steps:
+      - uses: actions/checkout@v1
+      - id: auth
+        uses: google-github-actions/auth@v1
+        with:
+          credentials_json: "${{ secrets.GCP_ACCOUNT_CREDENTIALS }}"
+      - name: Install Firebase CLI
+        run: npm install -g firebase-tools
+      - name: Deploy Firestore rules
+        run: firebase deploy --only firestore:rules --project ${{ secrets.GCP_PROJECT }}
diff --git a/firebase.json b/firebase.json
@@ -1,4 +1,7 @@
 {
+  "firestore": {
+    "rules": "firestore.rules"
+  },
   "emulators": {
     "firestore": {
       "port": 8080
diff --git a/firestore.rules b/firestore.rules
@@ -0,0 +1,28 @@
+rules_version = '2';
+service cloud.firestore {
+  match /databases/{database}/documents {
+    // Default deny
+    match /{document=**} {
+      allow read, write: if false;
+    }
+
+    // Allow read access if user is a board participant
+    match /boards/{boardId} {
+      allow read: if isAuthenticated() && isBoardParticipant(boardId);
+    }
+
+    match /boards/{boardId}/{_=**} {
+      allow read: if isAuthenticated() && isBoardParticipant(boardId);
+    }
+
+    function isAuthenticated() {
+      return request.auth != null;
+    }
+
+    function isBoardParticipant(boardId) {
+      return
+        exists(/databases/$(database)/documents/participants/$(request.auth.uid)) &&
+        /databases/%28default%29/documents/boards/$(boardId) in get(/databases/$(database)/documents/participants/$(request.auth.uid)).data.boards
+    }
+  }
+}

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +{
 +  "projects": {
 +    "default": "retrotools-284402"
 +  }
 +}
Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,7 @@`
`1`	`1`	`{`
	`2`	`+ "firestore": {`
	`3`	`+ "rules": "firestore.rules"`
	`4`	`+ },`
`2`	`5`	`"emulators": {`
`3`	`6`	`"firestore": {`
`4`	`7`	`"port": 8080`