Hardening Firestore rules (#101)
* Harden Firestore fold update rule This prevents editing fields on the fold that would lead to strange and disruptive results, for example, changing the curatorId to another user, or manually changing followCount. * Harden Firestore follower update rule This prevents users from creating follower entries with the userId of someone else, which would effectively subscribe that person to the fold. * Harden Firestore comment posting rule This prevents people from posting comments with inauthentic user information. * Fix silly bugs in comment rules I made
This commit is contained in:
parent
c0d6e17060
commit
53c79f41a3
|
@ -45,9 +45,18 @@ service cloud.firestore {
|
||||||
allow read;
|
allow read;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
function commentMatchesUser(userId, comment) {
|
||||||
|
// it's a bad look if someone can impersonate other ids/names/avatars so check everything
|
||||||
|
let user = get(/databases/$(database)/documents/users/$(userId));
|
||||||
|
return comment.userId == userId
|
||||||
|
&& comment.userName == user.data.name
|
||||||
|
&& comment.userUsername == user.data.username
|
||||||
|
&& comment.userAvatarUrl == user.data.avatarUrl;
|
||||||
|
}
|
||||||
|
|
||||||
match /{somePath=**}/comments/{commentId} {
|
match /{somePath=**}/comments/{commentId} {
|
||||||
allow read;
|
allow read;
|
||||||
allow create: if request.auth != null;
|
allow create: if request.auth != null && commentMatchesUser(request.auth.uid, request.resource.data);
|
||||||
}
|
}
|
||||||
|
|
||||||
match /{somePath=**}/answers/{answerId} {
|
match /{somePath=**}/answers/{answerId} {
|
||||||
|
@ -56,12 +65,16 @@ service cloud.firestore {
|
||||||
|
|
||||||
match /folds/{foldId} {
|
match /folds/{foldId} {
|
||||||
allow read;
|
allow read;
|
||||||
allow update, delete: if request.auth.uid == resource.data.curatorId;
|
allow update: if request.auth.uid == resource.data.curatorId
|
||||||
|
&& request.resource.data.diff(resource.data).affectedKeys()
|
||||||
|
.hasOnly(['name', 'about', 'tags', 'lowercaseTags']);
|
||||||
|
allow delete: if request.auth.uid == resource.data.curatorId;
|
||||||
}
|
}
|
||||||
|
|
||||||
match /{somePath=**}/followers/{userId} {
|
match /{somePath=**}/followers/{userId} {
|
||||||
allow read;
|
allow read;
|
||||||
allow write: if request.auth.uid == userId;
|
allow create, update: if request.auth.uid == userId && request.resource.data.userId == userId;
|
||||||
|
allow delete: if request.auth.uid == userId;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue
Block a user