-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathdatabase.rules.json
More file actions
104 lines (97 loc) · 5.87 KB
/
database.rules.json
File metadata and controls
104 lines (97 loc) · 5.87 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
{
"rules": {
"users": {
// make sure top parent rules are not open to everyone
// children rules can grant extra access, but cant revoke already granted parent accees
// only grant access to children nodes based on need
"$user_email": {
".read": "auth !== null && auth.uid !== null && auth.email_verified == true && auth.email.replace('.','_') === $user_email",
".write": "auth !== null && auth.uid !== null && auth.email_verified == true && auth.email.replace('.','_') === $user_email",
// public child node path is read access for everyone
// but write access is granular
"public": {
".read": "auth !== null && auth.uid !== null && auth.email_verified == true",
// other users can write only to this public node pending-text child
// it is used to receive text peanuts from other users
// once received, it is deleted if the user accepts it and copies it to their stash
"pending-text": {
// give owner read write access
".read": "auth !== null && auth.uid !== null && auth.email_verified == true && root.child('users/' + $user_email + '/private/uid').val() === auth.uid",
".write": "auth !== null && auth.uid !== null && auth.email_verified == true && root.child('users/' + $user_email + '/private/uid').val() === auth.uid",
// validate schema and enforce that others can only use their own uid and email to write
// and make sure that userId of this contact is already added as a prop in private/contacts
"$text":{
// only owner can read this node
".read" : false,
// whitelisted colleagues can write
".write" : "root.child('/users/' + $user_email + '/private/contacts/' + auth.email.replace('.','_') ).exists()",
"email": { ".validate": "newData.isString() && newData.val() === auth.email && newData.val().length <= 128"},
"userId": { ".validate": "newData.isString() && newData.val() === auth.uid && newData.val().length <= 32"},
"timestamp": { ".validate": "newData.isNumber()"},
"data": { ".validate": "newData.isString() && newData.val().length <= 1024"},
"note": { ".validate": "newData.isString() && newData.val().length <= 512"},
"$other": { ".validate": false }
}
},
// uid, publickey and email are write access only for the current user
"uid": {
".read": "auth !== null && auth.uid !== null && auth.email_verified == true",
".write": "auth !== null && auth.uid !== null && auth.email_verified == true && root.child('users/' + $user_email + '/public/uid').val() === auth.uid",
".validate": "newData.isString() && newData.val().length <= 32"
},
"publicKey": {
".read": "auth !== null && auth.uid !== null && auth.email_verified == true",
".write": "auth !== null && auth.uid !== null && auth.email_verified == true && root.child('users/' + $user_email + '/public/uid').val() === auth.uid",
".validate": "newData.isString() && newData.val().length <= 512"
},
"email": {
".read": "auth !== null && auth.uid !== null && auth.email_verified == true",
".write": "auth !== null && auth.uid !== null && auth.email_verified == true && root.child('users/' + $user_email + '/public/uid').val() === auth.uid",
".validate": "newData.isString() && newData.val().length <= 128"
},
"$other": { ".validate": false }
},
// private child node and its children is only read/write access for the current user
"private": {
".read": "auth !== null && auth.uid !== null && auth.email_verified == true && root.child('users/' + $user_email + '/private/uid').val() === auth.uid",
".write": "auth !== null && auth.uid !== null && auth.email_verified == true && root.child('users/' + $user_email + '/private/uid').val() === auth.uid",
"peanut-stash" : {
"$text":{
".indexOn": "timestamp", // index on timestamp for query performance
"userEmail": { ".validate": "newData.isString() && newData.val().length <= 128"},
"userId": { ".validate": "newData.isString() && newData.val().length <= 32"},
"timestamp": { ".validate": "newData.isNumber()"},
"data": { ".validate": "newData.isString() && newData.val().length <= 1024"},
"note": { ".validate": "newData.isString() && newData.val().length <= 512"},
"category": { ".validate": "newData.isString() && newData.val().length <= 32"},
"$other": { ".validate": false }
}
},
"peanut-alias" : {
".indexOn": "name", // index on name for query performance
"$text":{
"timestamp": { ".validate": "newData.isNumber()"},
"name": { ".validate": "newData.isString() && newData.val().length <= 32"},
"parent": { ".validate": "newData.isString() && newData.val().length <= 20"}, // firebase key size
"$other": { ".validate": false }
}
},
"categories": {
"$category":{
"name": { ".validate": "newData.isString() && newData.val().length <= 32"},
"$other": { ".validate": false }
}
},
"contacts":{
"$contact": { ".validate": "newData.isString() && newData.val().length <= 128" }
},
"uid" : {".validate": "newData.isString() && newData.val().length <= 32"},
"privateKey" : {".validate": "newData.isString() && newData.val().length <= 2048"},
"$other": { ".validate": false }
},
"$other": { ".validate": false }
}
},
"$other": { ".validate": false }
}
}