OpenPlanner/firestore.rules at main · HugoGresse/OpenPlanner · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
rules_version = '2';
service cloud.firestore {
    match /databases/{database}/documents {

        // Common
        function authenticated() { return request.auth.uid != null; }

        function eventData(eventId) { return get(/databases/$(database)/documents/events/$(eventId)).data; }
        function isAdmin(data) { return data.owner == request.auth.uid || request.auth.uid in data.members;}
        function isSuperAdmin(userId) { return exists(/databases/$(database)/documents/admins/users/admins/$(userId)); }

        match /events/{eventId} {
            allow read: if authenticated() && (isAdmin(resource.data) || isSuperAdmin(request.auth.uid));
            allow create: if authenticated();
            allow write: if authenticated() && isAdmin(resource.data);

            match /sessions/{sessionId} {
                allow read: if authenticated() && (isAdmin(eventData(eventId)) || isSuperAdmin(request.auth.uid));
                allow write: if authenticated() && isAdmin(eventData(eventId));
            }
            match /sessionsTemplate/{sessionId} {
                allow read: if authenticated() && (isAdmin(eventData(eventId)) || isSuperAdmin(request.auth.uid));
                allow write: if authenticated() && isAdmin(eventData(eventId));
            }
            match /speakers/{speakerId} {
                allow read: if authenticated() && (isAdmin(eventData(eventId)) || isSuperAdmin(request.auth.uid));
                allow write: if authenticated() && isAdmin(eventData(eventId));
            }
            // Magic-link tokens for speaker self-edit. Written exclusively by
            // the Cloud Functions API (firebase-admin bypasses rules). Never
            // exposed to clients — token hashes here grant edit access.
            match /speakerEditTokens/{tokenId} {
                allow read: if false;
                allow write: if false;
            }
            // Speaker-submitted pending edits awaiting admin review. Backend
            // writes via admin SDK; admin UI reads through the API, not the
            // SDK, so client access stays denied.
            match /speakerPendingEdits/{requestId} {
                allow read: if false;
                allow write: if false;
            }
            // Rate-limit counters for speaker edit link requests. Admin-only,
            // bumped from the backend.
            match /speakerEditRateLimits/{docId} {
                allow read: if false;
                allow write: if false;
            }
            match /sponsors/{sponsorId} {
                allow read: if authenticated() && (isAdmin(eventData(eventId)) || isSuperAdmin(request.auth.uid));
                allow write: if authenticated() && isAdmin(eventData(eventId));
            }
            match /jobPosts/{postId} {
                allow read: if authenticated() && (isAdmin(eventData(eventId)) || isSuperAdmin(request.auth.uid));
                allow write: if authenticated() && isAdmin(eventData(eventId));
            }
            match /team/{memberId} {
                allow read: if authenticated() && (isAdmin(eventData(eventId)) || isSuperAdmin(request.auth.uid));
                allow write: if authenticated() && isAdmin(eventData(eventId));
            }
            match /tickets/{ticketId} {
                allow read: if authenticated() && (isAdmin(eventData(eventId)) || isSuperAdmin(request.auth.uid));
                allow write: if authenticated() && isAdmin(eventData(eventId));
            }
            match /faq/{category=**} {
                allow read: if authenticated() && (isAdmin(eventData(eventId)) || isSuperAdmin(request.auth.uid));
                allow write: if authenticated() && isAdmin(eventData(eventId));
            }
            match /schedule/{scheduleId} {
                allow read: if authenticated() && (isAdmin(eventData(eventId)) || isSuperAdmin(request.auth.uid));
                allow write: if authenticated() && isAdmin(eventData(eventId));
            }
            // AI assistant audit log. Written by the API (firebase-admin
            // bypasses rules); clients are read-only so the trail can't be
            // tampered with from the browser.
            match /aiActions/{actionId} {
                allow read: if authenticated() && (isAdmin(eventData(eventId)) || isSuperAdmin(request.auth.uid));
                allow write: if false;
            }
        }

        match /admins/users/admins/{userId} {
        	allow read: if authenticated() && isSuperAdmin(request.auth.uid);
            allow write: if false;
            allow create: if false;
        }

        // Outbound email audit log. The Cloud Functions API sends mail
        // directly via SMTP (Mailgun) and writes one row per attempt here
        // for traceability and retry inspection. Client access is denied.
        match /mail/{docId} {
            allow read: if false;
            allow write: if false;
        }

    }
}