3.2 Database Security Rules
From the Firestore Database, Click on the Rules tab and copy and paste the following code below:
Firestore Security Rules
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
match /categories/{document=**} {
allow read : if true;
allow write: if isUserSignedIn() && isAdmin();
}
match /tags/{document=**} {
allow read : if true;
allow write: if isUserSignedIn() && isAdmin();
}
match /courses/{document=**} {
allow read : if true;
allow update: if isUserSignedIn() && (
isAdmin() || isAuthor() ||
(request.resource.data.diff(resource.data).affectedKeys().hasOnly(['students'])) ||
(request.resource.data.diff(resource.data).affectedKeys().hasOnly(['rating']))
)
allow create, delete: if isUserSignedIn() && (isAdmin() || isAuthor());
}
match /notifications/{document=**} {
allow read : if true;
allow write: if isUserSignedIn() && isAdmin();
}
match /reviews/{document=**} {
allow read : if true;
allow create, update : if isUserSignedIn();
allow delete: if isUserSignedIn() && isAdmin();
}
match /purchases/{document=**} {
allow read : if true;
allow create: if isUserSignedIn();
}
match /settings/{document=**} {
allow read : if true;
allow write: if isUserSignedIn() && isAdmin();
}
match /user_stats/{document=**} {
allow read : if true;
allow write: if isUserSignedIn();
}
match /purchase_stats/{document=**} {
allow read : if true;
allow write: if isUserSignedIn();
}
match /users/{document=**} {
allow read : if true;
allow create: if isUserSignedIn() && request.auth.uid == request.resource.id;
allow update: if isUserSignedIn() && (
request.auth.uid == request.resource.id ||
isAdmin() ||
(request.resource.data.diff(resource.data).affectedKeys().hasOnly(['author_info']))
)
allow delete: if isUserSignedIn() && request.auth.uid == resource.id;
}
function isUserSignedIn (){
return request.auth != null;
}
function isAdmin (){
return "admin" in get(/databases/$(database)/documents/users/$(request.auth.uid)).data.role;
}
function isAuthor (){
return "author" in get(/databases/$(database)/documents/users/$(request.auth.uid)).data.role;
}
}
}Click on the Publish button to publish the security rules. That's it.
Last updated