MagicBracketSimulator/firestore.rules at main · TytaniumDev/MagicBracketSimulator · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
rules_version='2'

service cloud.firestore {
  match /databases/{database}/documents {
    // Helper: true if the authenticated user is in the allowed-users list.
    function isAllowedUser() {
      return request.auth != null
        && exists(/databases/$(database)/documents/allowedUsers/$(request.auth.uid));
    }

    // Allowlist: each doc id is a Firebase Auth UID. Users can only read their
    // own doc (so the app can check "am I allowed?"). Add/remove allowed users
    // via Firebase Console, Admin SDK, or the approve endpoint.
    match /allowedUsers/{uid} {
      allow read: if request.auth != null && request.auth.uid == uid;
      allow write: if false;
    }

    // Jobs: public reads, writes require allowlist
    match /jobs/{jobId} {
      allow read: if true;
      allow create: if isAllowedUser();
      allow update: if isAllowedUser();
      allow delete: if isAllowedUser();

      // Per-simulation tracking subcollection: public reads
      match /simulations/{simId} {
        allow read: if true;
        allow write: if isAllowedUser();
      }
    }

    // Unified decks collection: public reads
    // Only deck owner can delete; precons (ownerId == null) cannot be deleted by any user
    match /decks/{deckId} {
      allow read: if true;
      allow create: if isAllowedUser() && request.resource.data.ownerId == request.auth.uid;
      allow delete: if isAllowedUser() && resource.data.ownerId == request.auth.uid;
      allow update: if false;
    }

    // Access requests: any authenticated user can create, users can read their own
    match /accessRequests/{requestId} {
      allow create: if request.auth != null;
      allow read: if request.auth != null && resource.data.uid == request.auth.uid;
      allow update, delete: if false;
    }

    // Workers collection: public reads (worker status), writes via Admin SDK only
    match /workers/{workerId} {
      allow read: if true;
      allow write: if false;
    }

    // Catch-all: deny everything else not explicitly matched
    match /{document=**} {
      allow read, write: if false;
    }
  }
}