From 53c79f41a3fcf85836a987b53102c8b556299abe Mon Sep 17 00:00:00 2001
From: Marshall Polaris <marshall@pol.rs>
Date: Wed, 27 Apr 2022 01:17:29 -0700
Subject: [PATCH] Hardening Firestore rules (#101)

* Harden Firestore fold update rule

This prevents editing fields on the fold that would lead to
strange and disruptive results, for example, changing the
curatorId to another user, or manually changing followCount.

* Harden Firestore follower update rule

This prevents users from creating follower entries with
the userId of someone else, which would effectively
subscribe that person to the fold.

* Harden Firestore comment posting rule

This prevents people from posting comments with inauthentic
user information.

* Fix silly bugs in comment rules I made
---
 firestore.rules | 19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)

diff --git a/firestore.rules b/firestore.rules
index 82c7f5c3..48214e3b 100644
--- a/firestore.rules
+++ b/firestore.rules
@@ -45,9 +45,18 @@ service cloud.firestore {
       allow read;
     }
 
+    function commentMatchesUser(userId, comment) {
+      // it's a bad look if someone can impersonate other ids/names/avatars so check everything
+      let user = get(/databases/$(database)/documents/users/$(userId));
+      return comment.userId == userId
+        && comment.userName == user.data.name
+        && comment.userUsername == user.data.username
+        && comment.userAvatarUrl == user.data.avatarUrl;
+    }
+
     match /{somePath=**}/comments/{commentId} {
       allow read;
-      allow create: if request.auth != null;
+      allow create: if request.auth != null && commentMatchesUser(request.auth.uid, request.resource.data);
     }
 
     match /{somePath=**}/answers/{answerId} {
@@ -56,12 +65,16 @@ service cloud.firestore {
 
     match /folds/{foldId} {
       allow read;
-      allow update, delete: if request.auth.uid == resource.data.curatorId;
+      allow update: if request.auth.uid == resource.data.curatorId
+        && request.resource.data.diff(resource.data).affectedKeys()
+        .hasOnly(['name', 'about', 'tags', 'lowercaseTags']);
+      allow delete: if request.auth.uid == resource.data.curatorId;
     }
 
     match /{somePath=**}/followers/{userId} {
       allow read;
-      allow write: if request.auth.uid == userId;
+      allow create, update: if request.auth.uid == userId && request.resource.data.userId == userId;
+      allow delete: if request.auth.uid == userId;
     }
   }
 }