|
| 1 | +rules_version = '2'; |
| 2 | +service cloud.firestore { |
| 3 | + match /databases/{database}/documents { |
| 4 | + |
| 5 | + // Helper function to check if user is admin |
| 6 | + // Admin users have a document in 'users' collection with their UID as document ID |
| 7 | + // and isAdmin: true field |
| 8 | + function isAdmin() { |
| 9 | + return request.auth != null && |
| 10 | + exists(/databases/$(database)/documents/users/$(request.auth.uid)) && |
| 11 | + get(/databases/$(database)/documents/users/$(request.auth.uid)).data.isAdmin == true; |
| 12 | + } |
| 13 | + |
| 14 | + // Users collection: Only admins can read their own admin status document |
| 15 | + // Document ID must match the authenticated user's UID |
| 16 | + match /users/{userId} { |
| 17 | + allow read: if request.auth != null && |
| 18 | + request.auth.uid == userId && |
| 19 | + isAdmin(); |
| 20 | + // Only admins can write (for creating admin users) |
| 21 | + allow write: if isAdmin(); |
| 22 | + } |
| 23 | + |
| 24 | + // Analytics events: Public can create, admins can read |
| 25 | + match /analytics_events/{eventId} { |
| 26 | + allow create: if true; // Anyone can create analytics events |
| 27 | + allow read: if isAdmin(); // Only admins can read |
| 28 | + allow update, delete: if isAdmin(); // Only admins can modify |
| 29 | + } |
| 30 | + |
| 31 | + // Ratings/Feedback: Public can create, admins can read |
| 32 | + match /ratings/{ratingId} { |
| 33 | + allow create: if true; // Anyone can create feedback/ratings |
| 34 | + allow read: if isAdmin(); // Only admins can read |
| 35 | + allow update, delete: if isAdmin(); // Only admins can modify |
| 36 | + } |
| 37 | + |
| 38 | + // Mismatches (Harmony quality feedback): Public can create, admins can read |
| 39 | + match /mismatches/{mismatchId} { |
| 40 | + allow create: if true; // Anyone can create mismatch reports |
| 41 | + allow read: if isAdmin(); // Only admins can read |
| 42 | + allow update, delete: if isAdmin(); // Only admins can modify |
| 43 | + } |
| 44 | + |
| 45 | + // Other collections (saved_searches, saved_resources, harmonisations, etc.) |
| 46 | + // These are user-specific, so users can read/write their own data |
| 47 | + match /saved_searches/{searchId} { |
| 48 | + allow read, write: if request.auth != null && |
| 49 | + resource.data.userId == request.auth.uid; |
| 50 | + allow create: if request.auth != null && |
| 51 | + request.resource.data.userId == request.auth.uid; |
| 52 | + } |
| 53 | + |
| 54 | + match /saved_resources/{resourceId} { |
| 55 | + allow read, write: if request.auth != null && |
| 56 | + resource.data.userId == request.auth.uid; |
| 57 | + allow create: if request.auth != null && |
| 58 | + request.resource.data.userId == request.auth.uid; |
| 59 | + } |
| 60 | + |
| 61 | + match /harmonisations/{harmonisationId} { |
| 62 | + allow read, write: if request.auth != null && |
| 63 | + resource.data.userId == request.auth.uid; |
| 64 | + allow create: if request.auth != null && |
| 65 | + request.resource.data.userId == request.auth.uid; |
| 66 | + } |
| 67 | + } |
| 68 | +} |
0 commit comments