feat: Public dashboard security rules

.github/workflows/firebase_actions.yml

@@ -47,7 +47,7 @@ jobs:
         working-directory: metrics/firebase/functions/
 
       - name: Run Firestore security rules tests
-        run: firebase emulators:exec --only firestore "npm run test"
+        run: firebase use default && firebase emulators:exec --only firestore "npm run test"
         working-directory: metrics/firebase/
 
       - name: Deploy Cloud Functions and Firestore security rules

metrics/firebase/firestore/rules/firestore.rules

@@ -3,30 +3,33 @@ service cloud.firestore {
   match /databases/{database}/documents {
 
     match /project_groups/{projectGroupId} {
-      allow read, delete: if isAccessAuthorized(database);
-      allow create, update: if isAccessAuthorized(database) && isProjectGroupValid();
+      allow read: if isSignedIn(database) || isPublicDashbordAnonymousAccess(database);
+      allow delete: if isSignedIn(database);
+      allow create, update: if isSignedIn(database) && isProjectGroupValid();
     }
 
     match /projects/{projectId} {
-      allow read: if isAccessAuthorized(database);
-      allow create, update: if isAccessAuthorized(database) && isProjectValid();
+      allow read: if isSignedIn(database) || isPublicDashbordAnonymousAccess(database);
+      allow create, update: if isSignedIn(database) && isProjectValid();
       allow delete: if false;
     }
 
     match /build/{buildId} {
-      allow read: if isAccessAuthorized(database);
-      allow create, update: if isAccessAuthorized(database) && isBuildValid(database);
+      allow read: if isSignedIn(database) || isPublicDashbordAnonymousAccess(database);
+      allow create, update: if isSignedIn(database) && isBuildValid(database);
       allow delete: if false;
     }
 
     match /build_days/{buildDayId} {
-      allow read: if isAccessAuthorized(database);
+      allow read: if isSignedIn(database) || isPublicDashbordAnonymousAccess(database);
       allow write: if false; 
     }
 
     match /user_profiles/{userProfileId} {
-      allow get: if isAccessAuthorized(database) && isDocumentOwner(userProfileId);
-      allow write: if isAccessAuthorized(database) && isDocumentOwner(userProfileId) && isUserProfileValid(database);
+      allow get: if (isSignedIn(database) || isPublicDashbordAnonymousAccess(database)) &&
+                    isDocumentOwner(userProfileId);
+      allow write: if (isSignedIn(database) || isPublicDashbordAnonymousAccess(database)) &&
+                      isDocumentOwner(userProfileId) && isUserProfileValid(database);
       allow list: if false;
       allow delete: if false;
     }
@@ -46,8 +49,8 @@ service cloud.firestore {
   }
 
   /// Checks if a user access is authorized.
-  function isAccessAuthorized(database) {
-    return request.auth.uid != null && isEmailValid(database)
+  function isSignedIn(database) {
+    return request.auth.uid != null && isEmailValid(database);
   }
 
   /// Checks if the request is from a user with a valid email.
@@ -68,11 +71,31 @@ service cloud.firestore {
     return isEmailDomainExists;
   }
 
+  /// Checks if the sign in provider from the request equals to the given parameter.
+  function checkSignInProvider(signInProvider) {
+    let authToken = request.auth.token;
+
+    return authToken.firebase.sign_in_provider == signInProvider;
+  }
+
   /// Checks if the sign in provider from the request is a password.
   function isSignInProviderPassword() {
-    let authToken = request.auth.token;
+    return checkSignInProvider('password');
+  }
+
+  /// Checks if the sign in provider from request is anonymous and public dashboard feature is enabled
+  function isPublicDashbordAnonymousAccess(database) {
+    return isSignInProviderAnonymous(database) && isPublicDashboardEnabled(database);
+  }
+
+  /// Checks if the sign in provider from the request is an anonymous.
+  function isSignInProviderAnonymous(database) {
+    return checkSignInProvider('anonymous');
+  }
 
-    return authToken.firebase.sign_in_provider == 'password';
+  /// Checks if the public dashboard feature is enabled
+  function isPublicDashboardEnabled(database) {
+    return get(/databases/$(database)/documents/feature_config/feature_config).data.isPublicDashboardEnabled;
   }
 
   /// Checks whether project group data from the request is valid.
@@ -192,7 +215,7 @@ service cloud.firestore {
       "workflowName",
       "url",
       "apiUrl",
-      "coverage",
+      "coverage"
     ]);
   }
 
@@ -274,7 +297,7 @@ service cloud.firestore {
     let requestData = request.resource.data;
 
     return requestData.keys().hasOnly([
-      "selectedTheme",
+      "selectedTheme"
     ]);
   }
 }