fix: block answer delete in rules, enforce userId match on create (batch v1.0.18)

This commit is contained in:
null 2026-06-20 01:19:02 -05:00
parent 8de5990230
commit b64ae1f29a
1 changed files with 2 additions and 1 deletions

View File

@ -363,9 +363,10 @@ service cloud.firestore {
// Accepts schemaVersion 3 (sealed:v1: partner-proof) or schemaVersion 2 (enc:v1: couple-key). // Accepts schemaVersion 3 (sealed:v1: partner-proof) or schemaVersion 2 (enc:v1: couple-key).
match /answers/{userId} { match /answers/{userId} {
allow read: if isCouplesMember(coupleId); allow read: if isCouplesMember(coupleId);
allow delete: if isOwner(userId); allow delete: if false;
allow create: if isCouplesMember(coupleId) allow create: if isCouplesMember(coupleId)
&& isOwner(userId) && isOwner(userId)
&& request.resource.data.userId == request.auth.uid
&& coupleEncryptionEnabled(coupleId) && coupleEncryptionEnabled(coupleId)
&& ( && (
isSealedThreadAnswerCreate(request.resource.data) isSealedThreadAnswerCreate(request.resource.data)