Harden Firestore fold update rule

This prevents editing fields on the fold that would lead to strange and disruptive results, for example, changing the curatorId to another user, or manually changing followCount.
2022-04-25 23:43:24 -07:00 · 2022-04-25 23:43:24 -07:00 · 262ce38bc1
commit 262ce38bc1
parent c0d6e17060
1 changed files with 4 additions and 1 deletions
--- a/firestore.rules
+++ b/firestore.rules
@ -56,7 +56,10 @@ service cloud.firestore {

    match /folds/{foldId} {
      allow read;
-      allow update, delete: if request.auth.uid == resource.data.curatorId;
+      allow update: if request.auth.uid == resource.data.curatorId
+        && request.resource.data.diff(resource.data).affectedKeys()
+        .hasOnly(['name', 'about', 'tags', 'lowercaseTags']);
+      allow delete: if request.auth.uid == resource.data.curatorId;
    }

    match /{somePath=**}/followers/{userId} {