This repository has been archived by the owner on Nov 25, 2021. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 2
/
database.rules.json
151 lines (131 loc) · 5.06 KB
/
database.rules.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
{
"rules": {
//Uncomment these for dev if needed
//Be sure to comment them again for producion
//The syntax of RTDB rules would allow these two commands to override all the other rules
".read": true,
".write": "auth.uid != null",
"userGroupCodes":{
".indexOn": ".value"
},
//Everyone can read, noone can write (only cloud functions can write)
"userSnippets": {
".read": "auth.uid != null",
".write": "false",
".indexOn": ["usernameQuery", "displayNameQuery"]
},
//Anyone can read, only the owners can write (based on some specifications)
//Only 5 properties are allowed, anything else is invalid
//Owners can write and delete, but when they're writing it can't be too long
"userSnippetExtras":{
".read": "auth.uid != null",
"$uid":{
".write": "auth.uid == $uid",
"facebook":{".validate": "(!newData.exists()) || (newData.isString() && newData.val().length <= 100)"},
"instagram":{".validate": "(!newData.exists()) || (newData.isString() && newData.val().length <= 30)"},
"github":{".validate": "(!newData.exists()) || (newData.isString() && newData.val().length <= 39)"},
"snapchat":{".validate": "(!newData.exists()) || (newData.isString() && newData.val().length <= 30)"},
"twitter":{".validate": "(!newData.exists()) || (newData.isString() && newData.val().length <= 15)"},
"$other": { ".validate": false }
}
},
//Everyone can read, noone can write (only cloud functions)
"usernames": {
".read": "auth.uid != null",
".write": false
},
//People can only view thier inboxes and outboxes, they can't write to them
//Creation and deletion is handled by cloud functions
"friendRequests":{
"$uid": {
"inbox": {
".read": "auth.uid == $uid",
".write": false
},
"outbox": {
".read": "auth.uid == $uid",
".write": false
}
}
},
//Users can read anything in their friend section (if they want)
//They can't write anything though, writing is all done by cloud functions
"userFriendGroupings":{
"$uid": {
".read": "auth.uid == $uid",
".write": false
}
},
//Only the user theirselves can see the list of groups that they're a part of
//They can't write anything though, writing is all done by cloud functions
"userGroupMemberships":{
"$uid": {
".read": "auth.uid == $uid",
".write": false
}
},
//Only members of a group can read it's info
//Writing is reserved for cloud functions
"userGroups":{
"$groupId": {
".read": "auth.uid != null && data.child('memberUids').child(auth.uid).exists()",
".write": false
}
},
//Users can read their saved locations, and write to them if they follow a specific format
//Only 2 properties are allowed, anything else is invalid
//Owners can write and delete, but when they're writing it can't be too long are large
"savedLocations":{
"$uid":{
".read": "auth.uid == $uid",
"$locationID":{
".write": "auth.uid == $uid",
".validate": "newData.hasChild('name') || !newData.exists()",
"name":{
".validate": "!newData.exists() || (newData.isString() && newData.val().length <= 200)"
},
"geolocation":{
".validate": "newData.hasChildren(['latitude', 'longitude']) || !newData.exists()",
"latitude":{".validate": "(!newData.exists()) || (newData.isNumber() && newData.val() <= 90 && newData.val() >= -90)"},
"longitude":{".validate": "(!newData.exists()) || (newData.isNumber() && newData.val() <= 180 && newData.val() >= -180)"},
"$other": { ".validate": false }
},
"$other": { ".validate": false }
}
}
},
//Only owners can read, noone can write (only cloud functions)
"feeds": {
"$uid": {
".read": "auth.uid == $uid",
".write": false
}
},
//A user can see everything about his active broadcasts (even the /private directory)
//Once again, writing is reserved to cloud functions
//People who were sent the broadcast can also see the broadcast's /public and /responders directory
//If a user isn't the owner of a broadcast, the user can only view the responders that are confirmed
"activeBroadcasts": {
"$uid": {
"private": {
".read": "auth.uid == $uid",
".write": false
},
"public":{
".read": "auth.uid == $uid",
"$broadcastId":{
".read": "root.child('feeds').child(auth.uid).child($broadcastId).exists()",
".write": false
}
},
"responders":{
".read": "auth.uid == $uid",
"$broadcastId":{
".read": "root.child('feeds').child(auth.uid).child($broadcastId).exists() && query.orderByChild == 'status' && query.equalTo == 'Confirmed'",
".write": false
}
}
}
}
}
}