fix: block answer delete in rules, enforce userId match on create (batch v1.0.18)
This commit is contained in:
parent
8de5990230
commit
b64ae1f29a
|
|
@ -363,9 +363,10 @@ service cloud.firestore {
|
|||
// Accepts schemaVersion 3 (sealed:v1: partner-proof) or schemaVersion 2 (enc:v1: couple-key).
|
||||
match /answers/{userId} {
|
||||
allow read: if isCouplesMember(coupleId);
|
||||
allow delete: if isOwner(userId);
|
||||
allow delete: if false;
|
||||
allow create: if isCouplesMember(coupleId)
|
||||
&& isOwner(userId)
|
||||
&& request.resource.data.userId == request.auth.uid
|
||||
&& coupleEncryptionEnabled(coupleId)
|
||||
&& (
|
||||
isSealedThreadAnswerCreate(request.resource.data)
|
||||
|
|
|
|||
Loading…
Reference in New Issue