Created
April 3, 2021 21:04
-
-
Save loucou/fcac56c541ac08512edf719f3840c034 to your computer and use it in GitHub Desktop.
second gist for https://medium.com/firebase-tips-tricks/how-to-secure-many-to-many-relationships-in-firestore-d19f972fd4d3 because naming for security rules has to be firestore.rules exactly to have syntax coloring
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| rules_version = '2'; | |
| service cloud.firestore { | |
| match /databases/{database}/documents { | |
| match /junction_student_course/{junctionId} { | |
| allow read: | |
| if request.auth != null | |
| && request.auth.uid == resource.data.studentId; | |
| allow create: | |
| if request.auth != null | |
| && request.auth.uid == request.resource.data.studentId | |
| && junctionId == request.auth.uid + "_" + request.resource.data.courseId; | |
| allow update: | |
| if request.auth != null | |
| && request.auth.uid == request.resource.data.studentId | |
| && request.auth.uid == resource.data.studentId | |
| && junctionId == request.auth.uid + "_" + request.resource.data.courseId; | |
| allow delete: | |
| if request.auth != null | |
| && request.auth.uid == resource.data.studentId; | |
| } | |
| match /courses/{courseId} { | |
| allow read: if request.auth != null && isAttending(request.auth.uid, courseId); | |
| allow write: if false; | |
| } | |
| function isAttending(studentId, courseId) { | |
| let junctionId = studentId + "_" + courseId; | |
| let path = /databases/$(database)/documents/junction_student_course/$(junctionId); | |
| return exists(path); | |
| } | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment