Harden Firestore comment posting rule

This prevents people from posting comments with inauthentic user information.
2022-04-26 00:22:49 -07:00 · 2022-04-26 00:22:49 -07:00 · b942e65bb7
commit b942e65bb7
parent 5c8f939730
1 changed files with 10 additions and 1 deletions
--- a/firestore.rules
+++ b/firestore.rules
@ -45,9 +45,18 @@ service cloud.firestore {
      allow read;
    }

+    function commentMatchesUser(userId, comment) {
+      // it's a bad look if someone can impersonate other ids/names/avatars so check everything
+      let user = get(/databases/$(database)/documents/users/$(userId));
+      return comment.userId == userId
+        && comment.userName == user.name
+        && comment.userUsername == user.username
+        && comment.userAvatarUrl == user.avatarUrl
+    }
+
    match /{somePath=**}/comments/{commentId} {
      allow read;
-      allow create: if request.auth != null;
+      allow create: if request.auth != null && commentMatchesUser(request.resource.data, request.auth.uid);
    }

    match /{somePath=**}/answers/{answerId} {