From e4239d0122b9d1e7269a468a6d48bde5186a9fd9 Mon Sep 17 00:00:00 2001 From: Marshall Polaris Date: Fri, 12 Aug 2022 20:13:09 -0700 Subject: [PATCH] Tweak Firestore user rules to be more robust (#750) --- firestore.rules | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/firestore.rules b/firestore.rules index b0befc85..81ab4eed 100644 --- a/firestore.rules +++ b/firestore.rules @@ -20,17 +20,17 @@ service cloud.firestore { match /users/{userId} { allow read; - allow update: if resource.data.id == request.auth.uid + allow update: if userId == request.auth.uid && request.resource.data.diff(resource.data).affectedKeys() .hasOnly(['bio', 'bannerUrl', 'website', 'twitterHandle', 'discordHandle', 'followedCategories', 'lastPingTime','shouldShowWelcome']); // User referral rules - allow update: if resource.data.id == request.auth.uid + allow update: if userId == request.auth.uid && request.resource.data.diff(resource.data).affectedKeys() .hasOnly(['referredByUserId', 'referredByContractId', 'referredByGroupId']) // only one referral allowed per user && !("referredByUserId" in resource.data) // user can't refer themselves - && !(resource.data.id == request.resource.data.referredByUserId); + && !(userId == request.resource.data.referredByUserId); // quid pro quos enabled (only once though so nbd) - bc I can't make this work: // && (get(/databases/$(database)/documents/users/$(request.resource.data.referredByUserId)).referredByUserId == resource.data.id); } @@ -60,8 +60,8 @@ service cloud.firestore { } match /private-users/{userId} { - allow read: if resource.data.id == request.auth.uid || isAdmin(); - allow update: if (resource.data.id == request.auth.uid || isAdmin()) + allow read: if userId == request.auth.uid || isAdmin(); + allow update: if (userId == request.auth.uid || isAdmin()) && request.resource.data.diff(resource.data).affectedKeys() .hasOnly(['apiKey', 'unsubscribedFromResolutionEmails', 'unsubscribedFromCommentEmails', 'unsubscribedFromAnswerEmails', 'notificationPreferences' ]); }