search/firestore.rules at main · harmonydata/search · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {

    // Helper function to check if user is admin
    // Admin users have a document in 'users' collection with their UID as document ID
    // and isAdmin: true field
    function isAdmin() {
      return request.auth != null &&
             exists(/databases/$(database)/documents/users/$(request.auth.uid)) &&
             get(/databases/$(database)/documents/users/$(request.auth.uid)).data.isAdmin == true;
    }

    // Users collection: Only admins can read their own admin status document
    // Document ID must match the authenticated user's UID
    match /users/{userId} {
      allow read: if request.auth != null &&
                     request.auth.uid == userId &&
                     isAdmin();
      // Only admins can write (for creating admin users)
      allow write: if isAdmin();
    }

    // Analytics events: Public can create, admins can read
    match /analytics_events/{eventId} {
      allow create: if true; // Anyone can create analytics events
      allow read: if isAdmin(); // Only admins can read
      allow update, delete: if isAdmin(); // Only admins can modify
    }

    // Ratings/Feedback: Public can create, admins can read
    match /ratings/{ratingId} {
      allow create: if true; // Anyone can create feedback/ratings
      allow read: if isAdmin(); // Only admins can read
      allow update, delete: if isAdmin(); // Only admins can modify
    }

    // Mismatches (Harmony quality feedback): Public can create, admins can read
    match /mismatches/{mismatchId} {
      allow create: if true; // Anyone can create mismatch reports
      allow read: if isAdmin(); // Only admins can read
      allow update, delete: if isAdmin(); // Only admins can modify
    }

    // Other collections (saved_searches, saved_resources, harmonisations, etc.)
    // These are user-specific, so users can read/write their own data
    match /saved_searches/{searchId} {
      allow read, write: if request.auth != null &&
                            resource.data.userId == request.auth.uid;
      allow create: if request.auth != null &&
                      request.resource.data.userId == request.auth.uid;
    }

    match /saved_resources/{resourceId} {
      allow read, write: if request.auth != null &&
                            resource.data.userId == request.auth.uid;
      allow create: if request.auth != null &&
                      request.resource.data.userId == request.auth.uid;
    }

    match /harmonisations/{harmonisationId} {
      allow read, write: if request.auth != null &&
                            resource.data.userId == request.auth.uid;
      allow create: if request.auth != null &&
                      request.resource.data.userId == request.auth.uid;
    }
  }
}