-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathfirestore.rules
More file actions
108 lines (94 loc) · 5.95 KB
/
firestore.rules
File metadata and controls
108 lines (94 loc) · 5.95 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
// Allow public read access for general app data if needed (e.g. courses list - but not specific user data)
// Example:
// match /courses/{courseId} {
// allow read: if true;
// allow write: if request.auth != null && get(/databases/$(database)/documents/students/$(request.auth.uid)).data.studentId == '8918'; // Admin only
// }
// Student profiles
match /students/{userId} {
allow read, update, create: if request.auth != null && request.auth.uid == userId;
// allow create: if request.auth != null; // Allow creation if user is authenticated, verification of studentId happens in app logic
// Progress subcollection
match /progress/{moduleId} {
allow read, write: if request.auth != null && request.auth.uid == userId;
}
// Courses enrolled subcollection
match /coursesEnrolled/{courseId} {
allow read, create, delete: if request.auth != null && request.auth.uid == userId;
}
// Learning stats subcollection
match /learningStats/{statId} {
allow read, write: if request.auth != null && request.auth.uid == userId;
}
}
// Allowed students list (for ID verification during login - typically admin-managed or pre-populated)
match /allowed_students/{studentDocId} {
allow read: if request.auth != null; // Authenticated users can read (needed for login flow)
// allow write: if request.auth != null && get(/databases/$(database)/documents/students/$(request.auth.uid)).data.studentId == '8918'; // Admin only for writes
allow write: if false; // Typically managed via Admin SDK or console
}
// Feedback
match /feedback/{feedbackId} {
allow create: if request.auth != null && request.auth.uid == request.resource.data.studentId;
allow read: if request.auth != null && get(/databases/$(database)/documents/students/$(request.auth.uid)).data.studentId == '8918'; // Admin only for reading all feedback
}
// Student Quiz Attempts
match /student_quiz_attempts/{attemptId} {
allow create: if request.auth != null && request.auth.uid == request.resource.data.userId;
allow read: if request.auth != null && (resource.data.userId == request.auth.uid || get(/databases/$(database)/documents/students/$(request.auth.uid)).data.studentId in ["8918", "STRITH23170"]);
}
// Course-specific doubts
match /courses/{courseId}/modules/{moduleId}/doubts/{doubtId} {
allow read: if request.auth != null; // All authenticated users can read doubts
allow create: if request.auth != null; // Authenticated users can create doubts
allow update: if request.auth != null &&
(request.auth.uid == resource.data.senderId || // Sender can update (e.g. edit, pin their own)
get(/databases/$(database)/documents/students/$(request.auth.uid)).data.studentId in ["8918", "STRITH23170"]); // Admins can update (e.g. pin any)
// Deletion rules might be more restrictive, e.g., only sender or admin.
// allow delete: if request.auth != null && (request.auth.uid == resource.data.senderId || get(/databases/$(database)/documents/students/$(request.auth.uid)).data.studentId == '8918');
}
// Live Meetings
match /liveMeetings/{roomId} {
allow read: if request.auth != null;
allow create: if request.auth != null && get(/databases/$(database)/documents/students/$(request.auth.uid)).data.studentId in ["8918", "STRITH23170"]; // Only admins can create
allow update: if request.auth != null && get(/databases/$(database)/documents/students/$(request.auth.uid)).data.studentId in ["8918", "STRITH23170"];// Only admins can update (e.g. end meeting)
match /presence/{participantId} {
allow read: if request.auth != null;
allow create: if request.auth != null && request.auth.uid == participantId; // User can mark their own presence
allow update: if request.auth != null && request.auth.uid == participantId; // User can update their own presence (e.g. leave)
}
match /chat/{messageId} {
allow read: if request.auth != null;
allow create: if request.auth != null; // Any authenticated user in the meeting can send messages
allow update(pin): if request.auth != null && get(/databases/$(database)/documents/students/$(request.auth.uid)).data.studentId in ["8918", "STRITH23170"]; // Admins can pin
}
match /summary/{summaryId} {
allow read: if request.auth != null;
allow create, update: if false; // Should be created by a backend function typically
}
}
// AR Session Logs
match /arSessions/{sessionId} {
allow create: if request.auth != null && request.auth.uid == request.resource.data.studentId; // User can log their own sessions
// Read access might be restricted to admins or specific analytics roles
allow read: if request.auth != null && get(/databases/$(database)/documents/students/$(request.auth.uid)).data.studentId in ["8918", "STRITH23170"]; // Admins can read
}
// Payments collection
match /payments/{paymentId} {
allow create: if request.auth != null && request.auth.uid == request.resource.data.userId;
allow read: if request.auth != null &&
(resource.data.userId == request.auth.uid ||
get(/databases/$(database)/documents/students/$(request.auth.uid)).data.studentId in ["8918", "STRITH23170"]);
// No public update or delete on payment records for general users
allow update, delete: if false;
}
match /payments_failed/{paymentId} {
allow create: if request.auth != null && request.auth.uid == request.resource.data.userId;
allow read: if request.auth != null && get(/databases/$(database)/documents/students/$(request.auth.uid)).data.studentId in ["8918", "STRITH23170"];
allow update, delete: if false;
}
}
}