fix: block answer delete in rules, enforce userId match on create (batch v1.0.18)
This commit is contained in:
parent
8de5990230
commit
b64ae1f29a
|
|
@ -363,9 +363,10 @@ service cloud.firestore {
|
||||||
// Accepts schemaVersion 3 (sealed:v1: partner-proof) or schemaVersion 2 (enc:v1: couple-key).
|
// Accepts schemaVersion 3 (sealed:v1: partner-proof) or schemaVersion 2 (enc:v1: couple-key).
|
||||||
match /answers/{userId} {
|
match /answers/{userId} {
|
||||||
allow read: if isCouplesMember(coupleId);
|
allow read: if isCouplesMember(coupleId);
|
||||||
allow delete: if isOwner(userId);
|
allow delete: if false;
|
||||||
allow create: if isCouplesMember(coupleId)
|
allow create: if isCouplesMember(coupleId)
|
||||||
&& isOwner(userId)
|
&& isOwner(userId)
|
||||||
|
&& request.resource.data.userId == request.auth.uid
|
||||||
&& coupleEncryptionEnabled(coupleId)
|
&& coupleEncryptionEnabled(coupleId)
|
||||||
&& (
|
&& (
|
||||||
isSealedThreadAnswerCreate(request.resource.data)
|
isSealedThreadAnswerCreate(request.resource.data)
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue