-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathfirestore.rules
More file actions
79 lines (66 loc) · 2.92 KB
/
firestore.rules
File metadata and controls
79 lines (66 loc) · 2.92 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
// Public collections -- keep existing defaults
// Helper function
function isOwner(userId) {
return request.auth != null && request.auth.uid == userId;
}
// Users collection: clients may read user profiles but should NOT be able to modify
// server-controlled fields such as level, xp, totalXP, achievements, pointsHistory, etc.
match /users/{userId} {
allow read: if request.auth != null;
// Deny client-side creation and full updates. Allow limited updates to safe fields
// (profilePicture, displayName, username, updatedAt) only by the authenticated user.
allow create: if false; // server creates user documents via Admin SDK
allow update: if request.auth != null
&& request.auth.uid == userId
&& request.resource.data.diff(resource.data).affectedKeys().hasOnly(['profilePicture','displayName','username','updatedAt', 'preferences', 'aiDataConsent', 'featuredBadge', 'bio', 'bannerImage', 'currentMood']);
allow delete: if false; // prevent client from deleting user documents
// Journal entries subcollection
match /journalEntries/{entryId} {
allow read: if isOwner(userId);
allow create: if isOwner(userId)
&& request.resource.data.userId == userId
&& request.resource.data.content is string
&& request.resource.data.mood is string;
allow update: if isOwner(userId);
allow delete: if isOwner(userId);
}
// Tasks subcollection
match /tasks/{taskId} {
allow read, write: if isOwner(userId);
}
// Habits subcollection
match /habits/{habitId} {
allow read, write: if isOwner(userId);
}
// Sunday chats subcollection
match /sundayChats/{chatId} {
allow read: if isOwner(userId);
allow create: if isOwner(userId);
allow update: if isOwner(userId);
allow delete: if false; // Prevent deletion, only archiving
// Messages subcollection
match /messages/{messageId} {
allow read: if isOwner(userId);
allow create: if isOwner(userId)
&& request.resource.data.chatId == chatId
&& request.resource.data.role in ["user", "assistant"];
allow update: if false; // Messages are immutable
allow delete: if false; // Only Cloud Functions can delete (for compression)
}
}
// Summaries subcollection (read-only for users, write by Cloud Functions)
match /summaries/{summaryType} {
allow read: if isOwner(userId);
allow write: if false; // Only Cloud Functions can write summaries
}
}
// Fallback: other documents require authentication to read; writes are denied by default
match /{document=**} {
allow read: if request.auth != null;
allow write: if false;
}
}
}