Spark-IQ/firestore.rules at main · 0xPyxis/Spark-IQ · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
rules_version = '2';

service cloud.firestore {
  match /databases/{database}/documents {
    // Helper functions
    function isAuthenticated() {
      return request.auth != null;
    }

    function isTeacher() {
      return isAuthenticated() &&
        get(/databases/$(database)/documents/teachers/$(request.auth.uid)).data != null;
    }

    function isStudent() {
      return isAuthenticated() &&
        get(/databases/$(database)/documents/students/$(request.auth.uid)).data != null;
    }

    // Allow role checking during login
    match /students/{userId} {
      allow read: if true;  // Allow reading during role check
      allow write: if isAuthenticated() && request.auth.uid == userId;
    }

    match /teachers/{userId} {
      allow read: if true;  // Allow reading during role check
      allow write: if isAuthenticated() && request.auth.uid == userId;
    }

    // Allow authenticated users to read chat data
    match /chats/{chatId} {
      allow read: if isAuthenticated();
      allow write: if isAuthenticated();
    }

    match /messages/{messageId} {
      allow read: if isAuthenticated();
      allow write: if isAuthenticated();
    }

    // Allow authenticated users to read and write their own profile data
    match /users/{userId} {
      allow read: if isAuthenticated();
      allow write: if isAuthenticated() && request.auth.uid == userId;
    }

    // Default rule for other collections
    match /{document=**} {
      allow read: if isAuthenticated();
      allow write: if isAuthenticated();
    }
  }
}

service firebase.storage {
  match /b/{bucket}/o {
    // Helper functions
    function isAuthenticated() {
      return request.auth != null;
    }

    function isTeacher() {
      return isAuthenticated() &&
        exists(/databases/$(database)/documents/teachers/$(request.auth.uid));
    }

    function isUserInChat(chatId) {
      return isAuthenticated() &&
             exists(/databases/$(database)/documents/chats/$(chatId)) &&
             request.auth.uid in get(/databases/$(database)/documents/chats/$(chatId)).data.participants;
    }

    // Profile pictures - specific rules
    match /profile-pictures/{userId}/{allPaths=**} {
      allow read: if isAuthenticated();  // Any authenticated user can view profile pictures
      allow write: if isAuthenticated() && request.auth.uid == userId;  // Only user can upload their own picture
    }

    // Chat attachments and files
    match /chat/{chatId}/{allPaths=**} {
      allow read: if isUserInChat(chatId);
      allow write: if isUserInChat(chatId) &&
                   request.resource.size < 10 * 1024 * 1024 &&  // 10MB file size limit
                   request.resource.contentType.matches('image/.*|video/.*|application/pdf');  // Restrict file types
    }

    // Assignment files
    match /assignments/{assignmentId}/{allPaths=**} {
      allow read: if isAuthenticated();
      allow write: if isTeacher() &&
                   request.resource.size < 20 * 1024 * 1024;  // 20MB file size limit
      allow delete: if isTeacher(); // Allow teachers to delete assignment files
    }

    // Announcement files
    match /announcements/{userId}/{fileName} {
      allow read: if isAuthenticated();
      allow write: if isTeacher() &&
                   request.resource.size < 10 * 1024 * 1024;  // 10MB file size limit
      allow delete: if isTeacher();
    }

    // Submission files - Updated rules
    match /submissions/{assignmentId}/{studentId}/{fileName} {
      allow read: if isAuthenticated() && (
        isTeacher() || // Teachers can read all submissions
        request.auth.uid == studentId // Students can read their own submissions
      );
      allow create, update: if isAuthenticated() &&
        request.auth.uid == studentId && // Students can only write to their own folder
        request.resource.size < 50 * 1024 * 1024; // 50MB file size limit
      allow delete: if isTeacher() || // Teachers can delete any submission
                   (isAuthenticated() && request.auth.uid == studentId); // Students can delete their own ungraded submissions
    }

    // Default rule - deny all other access
    match /{allPaths=**} {
      allow read: if isAuthenticated();
      allow write: if false;
    }
  }
}