chore: update couple create rule comment to reflect server-only flow (batch v0.2.20)
This commit is contained in:
parent
c31177d52b
commit
8be7b7da0e
|
|
@ -200,8 +200,9 @@ service cloud.firestore {
|
|||
// Read: both members can read
|
||||
allow read: if isCouplesMember(coupleId);
|
||||
|
||||
// Create: acceptor creates the couple doc during pairing (client-side).
|
||||
// Must be a member of the couple and include required fields.
|
||||
// Create: server-side only via the acceptInviteCallable Cloud Function.
|
||||
// The Admin SDK bypasses these rules. The shape check remains as defense
|
||||
// in depth in case any other trusted server process creates a couple doc.
|
||||
allow create: if isSignedIn()
|
||||
&& request.auth.uid in request.resource.data.userIds
|
||||
&& request.resource.data.keys().hasAll([
|
||||
|
|
|
|||
Loading…
Reference in New Issue