-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathfirestore.rules.new
135 lines (118 loc) · 4.1 KB
/
firestore.rules.new
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
// Helper functions
function isAuthenticated() {
return request.auth != null;
}
function isAdmin() {
return isAuthenticated() &&
get(/databases/$(database)/documents/users/$(request.auth.uid)).data.role == 'admin';
}
function isAgent() {
return isAuthenticated() &&
get(/databases/$(database)/documents/users/$(request.auth.uid)).data.role in ['agent', 'admin'];
}
function isOwner(userId) {
return isAuthenticated() && request.auth.uid == userId;
}
function hasValidFields(requiredFields) {
return request.resource.data.keys().hasAll(requiredFields);
}
// Users collection
match /users/{userId} {
allow read: if isAuthenticated();
allow create: if isAdmin();
allow update: if isAdmin() || isOwner(userId);
allow delete: if isAdmin();
}
// Chat sessions and messages
match /chat_sessions/{sessionId} {
allow read: if isAuthenticated() && (
resource.data.userId == request.auth.uid ||
isAgent()
);
allow create: if isAuthenticated();
allow update: if isAuthenticated() && (
resource.data.userId == request.auth.uid ||
isAgent()
);
allow delete: if isAdmin();
}
match /chat_messages/{messageId} {
allow read: if isAuthenticated() && (
get(/databases/$(database)/documents/chat_sessions/$(resource.data.sessionId)).data.userId == request.auth.uid ||
isAgent()
);
allow create: if isAuthenticated() && hasValidFields(['content', 'sessionId', 'timestamp', 'role']);
allow update: if false; // Messages should be immutable
allow delete: if isAdmin();
}
// Tickets
match /tickets/{ticketId} {
allow read: if isAuthenticated() && (
resource.data.userId == request.auth.uid ||
isAgent()
);
allow create: if isAuthenticated() && hasValidFields(['title', 'description', 'priority', 'status']);
allow update: if isAuthenticated() && (
resource.data.userId == request.auth.uid ||
isAgent()
);
allow delete: if isAdmin();
}
// Assets
match /assets/{assetId} {
allow read: if isAuthenticated();
allow create: if isAgent() && hasValidFields(['name', 'type', 'status']);
allow update: if isAgent();
allow delete: if isAdmin();
}
// Knowledge Base Articles
match /articles/{articleId} {
allow read: if true; // Public access for knowledge base
allow create: if isAgent() && hasValidFields(['title', 'content', 'category']);
allow update: if isAgent();
allow delete: if isAdmin();
}
// Settings
match /settings/{settingId} {
allow read: if true;
allow write: if isAdmin();
}
// Service Status
match /services/{serviceId} {
allow read: if true;
allow write: if isAgent();
}
// Incidents
match /incidents/{incidentId} {
allow read: if true;
allow write: if isAgent();
}
// Comments
match /comments/{commentId} {
allow read: if isAuthenticated();
allow create: if isAuthenticated() && hasValidFields(['content', 'userId', 'timestamp']);
allow update: if isAuthenticated() && resource.data.userId == request.auth.uid;
allow delete: if isAdmin() || resource.data.userId == request.auth.uid;
}
// Notifications
match /notifications/{notificationId} {
allow read: if isAuthenticated() && resource.data.userId == request.auth.uid;
allow create: if isAgent();
allow update: if isAgent() || resource.data.userId == request.auth.uid;
allow delete: if isAdmin() || resource.data.userId == request.auth.uid;
}
// User Settings
match /userSettings/{userId} {
allow read: if isAuthenticated() && (isOwner(userId) || isAdmin());
allow write: if isAuthenticated() && (isOwner(userId) || isAdmin());
}
// Analytics
match /analytics/{docId} {
allow read: if isAgent();
allow write: if isAgent();
}
}
}