3.2 Database Security Rules

From the Firestore Database, Click on the Rules tab and copy and paste the following code below:

Firestore Security Rules
rules_version = '2';

service cloud.firestore {
  match /databases/{database}/documents {
  
    match /categories/{document=**} {
    	allow read : if true;
      allow write: if isUserSignedIn() && isAdmin();
    }
    
    match /tags/{document=**} {
    	allow read : if true;
      allow write: if isUserSignedIn() && isAdmin();
    }
    
    match /courses/{document=**} {
    	allow read : if true;
      allow update: if isUserSignedIn() && (
      	isAdmin() || isAuthor() || 
        (request.resource.data.diff(resource.data).affectedKeys().hasOnly(['students'])) || 
        (request.resource.data.diff(resource.data).affectedKeys().hasOnly(['rating']))
      )
      allow create, delete: if isUserSignedIn() && (isAdmin() || isAuthor());
    }
    
    match /notifications/{document=**} {
    	allow read : if true;
      allow write: if isUserSignedIn() && isAdmin();
    }
    
    match /reviews/{document=**} {
    	allow read : if true;
      allow create, update : if isUserSignedIn();
      allow delete: if isUserSignedIn() && isAdmin();
    }
    
    match /purchases/{document=**} {
    	allow read : if true;
      allow create: if isUserSignedIn();
    }
    
    match /settings/{document=**} {
    	allow read : if true;
      allow write: if isUserSignedIn() && isAdmin();
    }
    
    match /user_stats/{document=**} {
    	allow read : if true;
      allow write: if isUserSignedIn();
    }
    
    match /purchase_stats/{document=**} {
    	allow read : if true;
      allow write: if isUserSignedIn();
    }
    
    match /users/{document=**} {
    	allow read : if true;
      allow create: if isUserSignedIn() && request.auth.uid == request.resource.id;
      allow update: if isUserSignedIn() && (
      	request.auth.uid == request.resource.id ||
      	isAdmin() || 
        (request.resource.data.diff(resource.data).affectedKeys().hasOnly(['author_info']))
      )
      
      allow delete: if isUserSignedIn() && request.auth.uid == resource.id;
    }
		
  
  	function isUserSignedIn (){
    	return request.auth != null;
    }
    
    function isAdmin (){
    	return "admin" in get(/databases/$(database)/documents/users/$(request.auth.uid)).data.role;
    }
    
    function isAuthor (){
    	return "author" in get(/databases/$(database)/documents/users/$(request.auth.uid)).data.role;
    }
  }
}

Click on the Publish button to publish the security rules. That's it.

Last updated