-
Notifications
You must be signed in to change notification settings - Fork 113
Expand file tree
/
Copy pathfirestore.rules
More file actions
315 lines (266 loc) · 13.3 KB
/
firestore.rules
File metadata and controls
315 lines (266 loc) · 13.3 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
// ============================================
// HELPER FUNCTIONS
// ============================================
// Check if the user is authenticated
function isAuthenticated() {
return request.auth != null;
}
// Check if the authenticated user is the owner
function isOwner(userId) {
return isAuthenticated() && request.auth.uid == userId;
}
// Get the user role from their profile
function getUserRole() {
return get(/databases/$(database)/documents/users/$(request.auth.uid)).data.role;
}
function isAdmin() {
return isAuthenticated() && getUserRole() == 'admin';
}
// Prevent a field from being changed on update
function fieldUnchanged(field) {
return !(field in request.resource.data)
|| request.resource.data[field] == resource.data[field];
}
// Allow updates only when the changed fields are explicitly allowed.
function onlyChangesAllowed(fields) {
return request.resource.data.diff(resource.data).changedKeys().hasOnly(fields);
}
// Validate string length
function isValidString(value, maxLen) {
return value is string && value.size() <= maxLen;
}
// ============================================
// USERS
// ============================================
match /users/{userId} {
allow read: if isOwner(userId) || isAdmin();
// A user can create their own profile document with required fields.
allow create: if isOwner(userId)
&& request.resource.data.role in ['employee', 'employer', 'admin']
&& request.resource.data.keys().hasAll(['email', 'role']);
// A user can only update their own profile document.
// Critical fields (uid, email, role) cannot be changed by the user.
allow update: if (isOwner(userId) || isAdmin())
&& fieldUnchanged('role')
&& fieldUnchanged('email')
&& fieldUnchanged('uid')
// Allow plan/subscription fields to be updated by webhooks (server-side)
// but prevent client-side plan escalation
&& fieldUnchanged('plan')
&& fieldUnchanged('subscriptionId')
&& fieldUnchanged('subscriptionStatus');
// Users cannot delete their own accounts through the app.
allow delete: if false;
match /savedOpportunities/{opportunityId} {
allow read, create, update, delete: if isOwner(userId) || isAdmin();
}
match /applications/{applicationId} {
allow read, create, update, delete: if isOwner(userId) || isAdmin();
}
match /savedJobDescriptions/{jobDescriptionId} {
allow read, create, update, delete: if isOwner(userId) || isAdmin();
}
}
match /publicProfiles/{userId} {
allow read: if isAuthenticated();
allow create, update: if isOwner(userId) || isAdmin();
allow delete: if false;
}
// ============================================
// POSTS
// ============================================
match /posts/{postId} {
allow read: if isAuthenticated();
allow create: if isAuthenticated()
&& request.resource.data.userId == request.auth.uid
&& request.resource.data.keys().hasAll(['userId', 'content', 'createdAt']);
allow update: if isAuthenticated() && (
(resource.data.userId == request.auth.uid
&& fieldUnchanged('userId')
&& onlyChangesAllowed(['content', 'imageUrl', 'updatedAt', 'likes', 'comments', 'shares']))
||
(resource.data.userId != request.auth.uid
&& fieldUnchanged('userId')
&& fieldUnchanged('content')
&& fieldUnchanged('imageUrl')
&& onlyChangesAllowed(['likes', 'comments', 'shares']))
);
allow delete: if isAuthenticated()
&& resource.data.userId == request.auth.uid;
}
// ============================================
// OPPORTUNITIES
// ============================================
match /opportunities/{opportunityId} {
// Any authenticated user can read job opportunities.
allow read: if isAuthenticated();
// An authenticated employer can create an opportunity.
allow create: if isAuthenticated()
&& getUserRole() == 'employer'
&& request.resource.data.employerId == request.auth.uid
&& request.resource.data.keys().hasAll(['title', 'employerId'])
&& isValidString(request.resource.data.title, 200)
&& (!('description' in request.resource.data)
|| isValidString(request.resource.data.description, 10000));
// Only the employer who created the opportunity can update it.
// employerId cannot be changed.
allow update: if isAuthenticated()
&& resource.data.employerId == request.auth.uid
&& fieldUnchanged('employerId');
// Only the employer who created the opportunity can delete it.
allow delete: if isAuthenticated()
&& resource.data.employerId == request.auth.uid;
}
// ============================================
// APPLICATIONS
// ============================================
match /applications/{applicationId} {
// Employees can submit their own applications.
// Employers can create invitation records for their own opportunities.
allow create: if isAuthenticated()
&& request.resource.data.keys().hasAll(['userId', 'opportunityId', 'status'])
&& (
(getUserRole() == 'employee'
&& request.resource.data.userId == request.auth.uid
&& request.resource.data.status in ['pending', 'Pending', 'Submitted'])
||
(getUserRole() == 'employer'
&& request.resource.data.status == 'Invited'
&& get(/databases/$(database)/documents/opportunities/$(request.resource.data.opportunityId)).data.employerId == request.auth.uid)
);
// Users can read their own applications.
// Employers can read applications for their jobs.
// Admins can read all applications.
allow read: if isAuthenticated() && (
isAdmin() ||
resource.data.userId == request.auth.uid ||
get(/databases/$(database)/documents/opportunities/$(resource.data.opportunityId)).data.employerId == request.auth.uid
);
// Employers can only update review metadata/status.
// Applicants can only withdraw their own application.
allow update: if isAuthenticated() && (
(get(/databases/$(database)/documents/opportunities/$(resource.data.opportunityId)).data.employerId == request.auth.uid
&& fieldUnchanged('userId')
&& fieldUnchanged('opportunityId')
&& onlyChangesAllowed(['status', 'updatedAt', 'reviewedAt', 'notes', 'invitedAt']))
||
(resource.data.userId == request.auth.uid
&& request.resource.data.status == 'withdrawn'
&& fieldUnchanged('userId')
&& fieldUnchanged('opportunityId')
&& onlyChangesAllowed(['status', 'updatedAt', 'withdrawnAt']))
);
// Applications cannot be deleted.
allow delete: if false;
}
// ============================================
// CHATS
// ============================================
match /chats/{chatId} {
// Only participants can read the chat.
allow read: if isAuthenticated()
&& request.auth.uid in resource.data.participants;
// Authenticated users can create a chat if they are a participant.
// Must have exactly 2 participants.
allow create: if isAuthenticated()
&& request.auth.uid in request.resource.data.participants
&& request.resource.data.participants.size() == 2;
// Only the derived lastMessage preview can be updated by participants.
allow update: if isAuthenticated()
&& request.auth.uid in resource.data.participants
&& onlyChangesAllowed(['lastMessage', 'hiddenFor']);
// Chats cannot be deleted.
allow delete: if false;
// ---- MESSAGES (subcollection) ----
match /messages/{messageId} {
// Only participants of the parent chat can read messages.
allow read: if isAuthenticated()
&& request.auth.uid in get(/databases/$(database)/documents/chats/$(chatId)).data.participants;
// Only participants can send messages, and senderId must match auth.
// Message content is limited to 10KB (E2E encrypted blobs).
allow create: if isAuthenticated()
&& request.auth.uid in get(/databases/$(database)/documents/chats/$(chatId)).data.participants
&& request.resource.data.senderId == request.auth.uid
&& (!('text' in request.resource.data)
|| request.resource.data.text.size() <= 10000);
// Participants can only mark messages as read.
allow update: if isAuthenticated()
&& request.auth.uid in get(/databases/$(database)/documents/chats/$(chatId)).data.participants
&& request.resource.data.read == true
&& onlyChangesAllowed(['read']);
// Messages cannot be deleted.
allow delete: if false;
}
}
// ============================================
// CALLS
// ============================================
match /calls/{callId} {
// Caller or callee can read a call document.
allow read: if isAuthenticated()
&& (resource.data.callerId == request.auth.uid
|| resource.data.calleeId == request.auth.uid);
// Authenticated users can create a call if they are the caller.
// Must specify both callerId and calleeId.
allow create: if isAuthenticated()
&& request.resource.data.callerId == request.auth.uid
&& request.resource.data.keys().hasAll(['callerId', 'calleeId']);
// Caller or callee can update call state (answer, ICE candidates, status).
// callerId and calleeId cannot be changed.
allow update: if isAuthenticated()
&& (resource.data.callerId == request.auth.uid
|| resource.data.calleeId == request.auth.uid)
&& fieldUnchanged('callerId')
&& fieldUnchanged('calleeId');
// Calls cannot be deleted through the app.
allow delete: if false;
// ---- ICE CANDIDATES (subcollections) ----
match /callerCandidates/{candidateId} {
allow read: if isAuthenticated()
&& (get(/databases/$(database)/documents/calls/$(callId)).data.callerId == request.auth.uid
|| get(/databases/$(database)/documents/calls/$(callId)).data.calleeId == request.auth.uid);
allow create: if isAuthenticated()
&& get(/databases/$(database)/documents/calls/$(callId)).data.callerId == request.auth.uid;
allow delete: if false;
}
match /calleeCandidates/{candidateId} {
allow read: if isAuthenticated()
&& (get(/databases/$(database)/documents/calls/$(callId)).data.callerId == request.auth.uid
|| get(/databases/$(database)/documents/calls/$(callId)).data.calleeId == request.auth.uid);
allow create: if isAuthenticated()
&& get(/databases/$(database)/documents/calls/$(callId)).data.calleeId == request.auth.uid;
allow delete: if false;
}
}
// ============================================
// NOTIFICATIONS
// ============================================
match /notifications/{notificationId} {
// Users can only read their own notifications.
allow read: if isAuthenticated()
&& resource.data.userId == request.auth.uid;
// Notifications are created server-side after authorization checks.
allow create: if false;
// Users can only update their own notifications (mark as read).
allow update: if isAuthenticated()
&& resource.data.userId == request.auth.uid
&& fieldUnchanged('userId')
&& fieldUnchanged('type')
&& fieldUnchanged('title')
&& fieldUnchanged('message')
&& fieldUnchanged('createdAt');
// Users can delete their own notifications.
allow delete: if isAuthenticated()
&& resource.data.userId == request.auth.uid;
}
// ============================================
// CATCH-ALL: Deny access to any other collections
// ============================================
match /{document=**} {
allow read, write: if false;
}
}
}