-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathsecurity-rules.json
68 lines (55 loc) · 1.73 KB
/
security-rules.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
{
"rules": {
"posts": {
// anyone can view posts
".read": true,
"$id": {
// auth can't be null to make/edit post
// if the post exists, auth.uid must match creatorUID
".write": "(auth != null && !data.exists()) || data.child('creatorUID').val() === auth.uid",
// We want to make sure that all 4 fields are present before saving a new post
".validate": "newData.hasChildren(['title','url','creator','creatorUID'])",
// title must be a string with length>0
"title": {
".validate": "newData.isString() && newData.val().length > 0"
},
"url": {
".validate": "newData.isString()"
},
"creator": {
".validate": "newData.isString()"
},
"creatorUID": {
".validate": "auth.uid === newData.val() && root.child('profile/'+newData.val()).exists()"
}
}
},
"comments": {
".read": true,
"$post_id": {
// make sure the post we're adding comments to exists
".validate": "root.child('posts/'+$post_id).exists()",
"$comment_id": {
// same write rules as for Post
".write": "(auth != null && !data.exists()) || data.child('creatorUID').val() === auth.uid",
".validate": "!data.exists() || data.child('creatorUID').val() === auth.uid"
}
}
},
"profile": {
".read": true,
"$uid": {
".write": "!data.exists() && auth.uid === $uid"
}
},
"user_posts": {
".read": true,
"$uid": {
// only the user can write here
".write": "auth.uid === $uid"
}
},
// Don't let users post to other fields
"$other": { ".validate": false }
}
}