Harden Firestore follower update rule

This prevents users from creating follower entries with the userId of someone else, which would effectively subscribe that person to the fold.
2022-04-25 23:46:39 -07:00 · 2022-04-25 23:46:39 -07:00 · 5c8f939730
commit 5c8f939730
parent 262ce38bc1
1 changed files with 2 additions and 1 deletions
--- a/firestore.rules
+++ b/firestore.rules
@ -64,7 +64,8 @@ service cloud.firestore {

    match /{somePath=**}/followers/{userId} {
      allow read;
-      allow write: if request.auth.uid == userId;
+      allow create, update: if request.auth.uid == userId && request.resource.data.userId == userId;
+      allow delete: if request.auth.uid == userId;
    }
  }
 }