Hardening Firestore rules (#101)

* Harden Firestore fold update rule

This prevents editing fields on the fold that would lead to
strange and disruptive results, for example, changing the
curatorId to another user, or manually changing followCount.

* Harden Firestore follower update rule

This prevents users from creating follower entries with
the userId of someone else, which would effectively
subscribe that person to the fold.

* Harden Firestore comment posting rule

This prevents people from posting comments with inauthentic
user information.

* Fix silly bugs in comment rules I made
This commit is contained in:
Marshall Polaris 2022-04-27 01:17:29 -07:00 committed by GitHub
parent c0d6e17060
commit 53c79f41a3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -45,9 +45,18 @@ service cloud.firestore {
allow read; allow read;
} }
function commentMatchesUser(userId, comment) {
// it's a bad look if someone can impersonate other ids/names/avatars so check everything
let user = get(/databases/$(database)/documents/users/$(userId));
return comment.userId == userId
&& comment.userName == user.data.name
&& comment.userUsername == user.data.username
&& comment.userAvatarUrl == user.data.avatarUrl;
}
match /{somePath=**}/comments/{commentId} { match /{somePath=**}/comments/{commentId} {
allow read; allow read;
allow create: if request.auth != null; allow create: if request.auth != null && commentMatchesUser(request.auth.uid, request.resource.data);
} }
match /{somePath=**}/answers/{answerId} { match /{somePath=**}/answers/{answerId} {
@ -56,12 +65,16 @@ service cloud.firestore {
match /folds/{foldId} { match /folds/{foldId} {
allow read; allow read;
allow update, delete: if request.auth.uid == resource.data.curatorId; allow update: if request.auth.uid == resource.data.curatorId
&& request.resource.data.diff(resource.data).affectedKeys()
.hasOnly(['name', 'about', 'tags', 'lowercaseTags']);
allow delete: if request.auth.uid == resource.data.curatorId;
} }
match /{somePath=**}/followers/{userId} { match /{somePath=**}/followers/{userId} {
allow read; allow read;
allow write: if request.auth.uid == userId; allow create, update: if request.auth.uid == userId && request.resource.data.userId == userId;
allow delete: if request.auth.uid == userId;
} }
} }
} }