-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathfirestore.rules
More file actions
157 lines (122 loc) · 6.4 KB
/
Copy pathfirestore.rules
File metadata and controls
157 lines (122 loc) · 6.4 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
// Allow users to read and write their own user document
match /users/{userId} {
allow read, write: if request.auth != null && request.auth.uid == userId;
allow read, write: if request.auth.token.role == "admin";
// Allow users to manage their own checked-in events
match /checkedInEvents/{eventId} {
allow read, write, get: if request.auth != null && request.auth.uid == userId;
}
// Allow users to manage their own FCM tokens
match /fcmTokens/{tokenId} {
allow read, write, get: if request.auth != null && request.auth.uid == userId;
}
// Allow users to manage their own favorite companies
match /favoriteCompanies/{companyId} {
allow read, write, get: if request.auth != null && request.auth.uid == userId;
}
// Allow users to manage their own joined clubs
match /joinedClubs/{clubId} {
allow read, write, get: if request.auth != null && request.auth.uid == userId;
}
}
// Allow authenticated users to read from the 'clubs' collection
match /clubs/{clubId} {
allow read: if request.auth != null;
// Allow users to manage their own membership in club members collection
match /members/{userId} {
allow read: if request.auth != null;
allow write, delete: if request.auth != null && request.auth.uid == userId;
}
}
match /{path=**}/members/{memberDocId} {
allow read, delete: if request.auth != null &&
(resource.data.uid == request.auth.uid || memberDocId == request.auth.uid);
}
match /{path=**}/attending/{attendanceDocId} {
allow read, delete: if request.auth != null &&
(resource.data.uid == request.auth.uid || attendanceDocId == request.auth.uid);
}
match /notifications/{notificationId} {
allow read: if request.auth != null;
allow write: if request.auth != null && request.auth.token.role == "admin";
allow delete: if request.auth != null && resource.data.targetId == request.auth.uid;
}
// // Path for recursive removal
// match /{path=**}/members/{userId} {
// allow read, write: if request.auth != null && request.auth.uid == userId;
// }
// match /{path=**}/attending/{userId} {
// allow read, write: if request.auth != null && request.auth.uid == userId;
// }
// Allow authenticated users to read from the 'companies' collection
match /companies/{companyId} {
allow read: if request.auth != null;
}
match /sponsors/{sponsorId}{
allow read: if request.auth != null;
}
// Allow authenticated users to read from the 'events' collection
match /events/{eventId} {
allow read: if request.auth != null;
allow delete, write: if request.auth != null
&& get(/databases/$(database)/documents/events/$(eventId)).eventType == 'club'
&& get(/databases/$(database)/documents/users/$(request.auth.uid)).data.role == 'club admin'
&& exists(/databases/$(database)/documents/clubs/$(get(/databases/$(database)/documents/events/$(eventId)).clubId)/members/$(request.auth.uid))
// Allow users to manage their own check-in status in event attending collection
match /attending/{userId} {
allow read: if request.auth != null;
allow write: if request.auth != null && request.auth.uid == userId;
}
// Allow users to create exceptions to recurring events
match /exceptions/{exceptionId} {
allow read: if request.auth != null;
allow delete, write: if request.auth != null
&& get(/databases/$(database)/documents/events/$(eventId)).eventType == 'club'
&& get(/databases/$(database)/documents/users/$(request.auth.uid)).data.role == 'club admin'
&& exists(/databases/$(database)/documents/clubs/$(get(/databases/$(database)/documents/events/$(eventId)).clubId)/members/$(request.auth.uid))
}
}
// match /events/{eventId} {
// allow read: if request.auth != null;
// allow delete: if request.auth != null
// // 1. Use resource.data to check the event being deleted
// && resource.data.eventType == 'club'
// // 2. Check the user's role (Ensure 'data' is used correctly)
// && get(/databases/$(database)/documents/users/$(request.auth.uid)).data.role == 'club admin'
// // 3. Check if user is a member of the specific club
// && exists(/databases/$(database)/documents/clubs/$(resource.data.clubId)/members/$(request.auth.uid));
// match /attending/{userId} {
// allow read: if request.auth != null;
// allow write: if request.auth != null && request.auth.uid == userId;
// }
// }
// Allow authenticated users to read from the 'faculty' collection
match /faculty/{facultyId} {
allow read: if request.auth != null;
}
// Club admin requests - admins can read/write all, users can create and read their own
match /clubAdminRequests/{docId} {
allow read, write: if request.auth != null && get(/databases/$(database)/documents/users/$(request.auth.uid)).data.role == 'admin';
allow create: if request.auth != null && request.resource.data.uid == request.auth.uid;
allow read: if request.auth != null && resource.data.uid == request.auth.uid;
}
// Club event requests - admins can do everything, club admins can create, users can read their own
match /clubEventRequests/{docId} {
allow read, write, update, delete: if request.auth != null && get(/databases/$(database)/documents/users/$(request.auth.uid)).data.role == 'admin';
allow create: if request.auth != null && get(/databases/$(database)/documents/users/$(request.auth.uid)).data.role == 'club admin';
allow read: if request.auth != null && resource.data.requestedByUid == request.auth.uid;
}
// For all other documents, deny read and write by default
match /{document=**} {
allow read, write: if false;
}
match /facultyRequests/{docID} {
allow read, write: if request.auth != null && get(/databases/$(database)/documents/users/$(request.auth.uid)).data.role == 'admin';
allow create: if request.auth != null && request.resource.data.uid == request.auth.uid;
allow read: if request.auth != null && resource.data.uid == request.auth.uid;
}
}
}