-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathfirestore.rules
More file actions
49 lines (38 loc) · 1.74 KB
/
firestore.rules
File metadata and controls
49 lines (38 loc) · 1.74 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
function isSignedIn() {
return request.auth != null;
}
function isOwner(userId) {
return isSignedIn() && request.auth.uid == userId;
}
match /users/{userId} {
allow read, write: if isOwner(userId);
}
match /forms/{formId} {
// Any authenticated user can create a form, ensuring they set themselves as owner.
allow create: if isSignedIn() && request.resource.data.ownerId == request.auth.uid;
// Only the owner of the form can read, update, or delete their form.
allow read, update, delete: if isOwner(resource.data.ownerId);
// Allow a user to list the forms they own.
allow list: if isSignedIn() && request.query.where.ownerId == request.auth.uid;
// Allow public read for forms that are explicitly published.
allow get: if resource.data.isPublished == true;
}
match /responses/{responseId} {
// Anyone can submit a response to a form that is published.
allow create: if get(/databases/$(database)/documents/forms/$(request.resource.data.formId)).data.isPublished == true;
// Only the owner of the form can read the responses.
allow read, list, delete: if isSignedIn() && get(/databases/$(database)/documents/forms/$(resource.data.formId)).data.ownerId == request.auth.uid;
// Nobody can update a response once it is submitted to preserve data integrity.
allow update: if false;
}
match /templates/{templateId} {
// All users can read and list templates.
allow get, list: if true;
// Writing templates is restricted (e.g., admin-only, handled by Cloud Functions).
allow write: if false;
}
}
}