From 5c8f939730a9d421ac25dbd0c33b2fd2f21e48bb Mon Sep 17 00:00:00 2001
From: Marshall Polaris <marshall@pol.rs>
Date: Mon, 25 Apr 2022 23:46:39 -0700
Subject: [PATCH] Harden Firestore follower update rule

This prevents users from creating follower entries with
the userId of someone else, which would effectively
subscribe that person to the fold.
---
 firestore.rules | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/firestore.rules b/firestore.rules
index 90dcc2b5..88be0ed1 100644
--- a/firestore.rules
+++ b/firestore.rules
@@ -64,7 +64,8 @@ service cloud.firestore {
 
     match /{somePath=**}/followers/{userId} {
       allow read;
-      allow write: if request.auth.uid == userId;
+      allow create, update: if request.auth.uid == userId && request.resource.data.userId == userId;
+      allow delete: if request.auth.uid == userId;
     }
   }
 }