From 262ce38bc1b4ec4eefbfa522d8c5fcca1703a8ef Mon Sep 17 00:00:00 2001
From: Marshall Polaris <marshall@pol.rs>
Date: Mon, 25 Apr 2022 23:43:24 -0700
Subject: [PATCH] Harden Firestore fold update rule

This prevents editing fields on the fold that would lead to
strange and disruptive results, for example, changing the
curatorId to another user, or manually changing followCount.
---
 firestore.rules | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/firestore.rules b/firestore.rules
index 82c7f5c3..90dcc2b5 100644
--- a/firestore.rules
+++ b/firestore.rules
@@ -56,7 +56,10 @@ service cloud.firestore {
 
     match /folds/{foldId} {
       allow read;
-      allow update, delete: if request.auth.uid == resource.data.curatorId;
+      allow update: if request.auth.uid == resource.data.curatorId
+        && request.resource.data.diff(resource.data).affectedKeys()
+        .hasOnly(['name', 'about', 'tags', 'lowercaseTags']);
+      allow delete: if request.auth.uid == resource.data.curatorId;
     }
 
     match /{somePath=**}/followers/{userId} {