open.source/manifold
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Hardening Firestore rules (#101)

Browse Source 
* Harden Firestore fold update rule

This prevents editing fields on the fold that would lead to
strange and disruptive results, for example, changing the
curatorId to another user, or manually changing followCount.

* Harden Firestore follower update rule

This prevents users from creating follower entries with
the userId of someone else, which would effectively
subscribe that person to the fold.

* Harden Firestore comment posting rule

This prevents people from posting comments with inauthentic
user information.

* Fix silly bugs in comment rules I made
This commit is contained in:
Marshall Polaris 2022-04-27 01:17:29 -07:00 committed by GitHub
parent c0d6e17060
commit 53c79f41a3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 16 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
firestore.rules
View File

@ -45,9 +45,18 @@ service cloud.firestore {
allow read;
}
function commentMatchesUser(userId, comment) {
// it's a bad look if someone can impersonate other ids/names/avatars so check everything
let user = get(/databases/$(database)/documents/users/$(userId));
return comment.userId == userId
&& comment.userName == user.data.name
&& comment.userUsername == user.data.username
&& comment.userAvatarUrl == user.data.avatarUrl;
}
match /{somePath=**}/comments/{commentId} {
allow read;
allow create: if request.auth != null;
allow create: if request.auth != null && commentMatchesUser(request.auth.uid, request.resource.data);
}
match /{somePath=**}/answers/{answerId} {
@ -56,12 +65,16 @@ service cloud.firestore {
match /folds/{foldId} {
allow read;
allow update, delete: if request.auth.uid == resource.data.curatorId;
allow update: if request.auth.uid == resource.data.curatorId
&& request.resource.data.diff(resource.data).affectedKeys()
.hasOnly(['name', 'about', 'tags', 'lowercaseTags']);
allow delete: if request.auth.uid == resource.data.curatorId;
}
match /{somePath=**}/followers/{userId} {
allow read;
allow write: if request.auth.uid == userId;
allow create, update: if request.auth.uid == userId && request.resource.data.userId == userId;
allow delete: if request.auth.uid == userId;
}
}
}