-
-
Notifications
You must be signed in to change notification settings - Fork 28
/
Copy pathfirestore.rules
89 lines (71 loc) · 2.77 KB
/
firestore.rules
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
function isGlobalAdmin(email) {
let adminUser = get(/databases/$(database)/documents/admins/$(email)).data;
return 'is_global_admin' in adminUser && adminUser.is_global_admin;
}
function isGlobalAnalyst(email) {
let adminUser = get(/databases/$(database)/documents/admins/$(email)).data;
return 'is_global_analyst' in adminUser && adminUser.is_global_analyst;
}
function canAccessPayment(token, recipientId) {
let recipient = get(/databases/$(database)/documents/recipients/$(recipientId)).data;
return 'phone_number' in token && token.phone_number == ("+" + string(recipient.mobile_money_phone.phone));
}
match /{document=**} {
allow read, write: if isGlobalAdmin(request.auth.token.email);
}
match /{document=**} {
allow read: if isGlobalAnalyst(request.auth.token.email);
}
match /events/{data} {
allow read, write: if request.auth != null;
}
match /events-users/{data} {
allow read, write: if request.auth != null;
}
match /exchange-rates/{data} {
allow read: if true;
}
match /recipients/{recipientId} {
// Recipients mobile app access
allow read, update: if 'phone_number' in request.auth.token && request.auth.token.phone_number == ("+" + string(resource.data.mobile_money_phone.phone))
match /payments/{paymentId} {
allow read, update: if canAccessPayment(request.auth.token, recipientId);
}
match /messages/{messageId} {
allow read, update: if canAccessPayment(request.auth.token, recipientId);
}
match /surveys/{surveyId} {
allow read, update: if request.auth.token.email == resource.data.access_email;
allow read: if canAccessPayment(request.auth.token, recipientId);
}
}
// recipients app access to organisations, for now check only if authenticated
match /organisations/{data} {
allow read: if request.auth != null
}
match /transparency-stats/{data} {
allow read: if true;
}
match /users/{data=**} {
allow read, write: if request.auth.uid == resource.data.auth_user_id;
}
match /users/{userId}/{data=**} {
allow read, write: if request.auth.uid == get(/databases/$(database)/documents/users/$(userId)).data.auth_user_id;
}
match /users/{data=**} {
allow read: if isGlobalAdmin(request.auth.token.email) || isGlobalAnalyst(request.auth.token.email);
allow write: if isGlobalAdmin(request.auth.token.email);
}
match /world-development-indicators/{data} {
allow read: if true;
}
}
match /databases/{database}/documents {
match /{document=**} {
allow read, write: if false;
}
}
}