forked from rawkintrevo/numfocus-agent-lab
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathfirestore.rules
More file actions
84 lines (73 loc) · 3.52 KB
/
firestore.rules
File metadata and controls
84 lines (73 loc) · 3.52 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
// --- Helper Functions ---
function isOwner(docData) {
return request.auth != null && request.auth.uid == docData.ownerId || request.auth.uid == docData.userId;
}
function isAdmin() {
return request.auth != null && exists(/databases/$(database)/documents/users/$(request.auth.uid)) &&
get(/databases/$(database)/documents/users/$(request.auth.uid)).data.permissions.isAdmin == true;
}
// --- Users Collection ---
match /users/{userId} {
allow get: if request.auth.uid == userId || isAdmin();
allow list: if isAdmin();
allow create: if request.auth.uid == userId && !("permissions" in request.resource.data);
allow update: if (request.auth.uid == userId &&
request.resource.data.diff(resource.data).affectedKeys().hasOnly(['lastLoginAt', 'email', 'displayName', 'photoURL', 'updatedAt']))
|| (isAdmin() &&
request.resource.data.diff(resource.data).affectedKeys().hasAny(['permissions', 'permissionsLastUpdatedAt']));
allow delete: if isAdmin();
}
// --- Projects Collection ---
match /projects/{projectId} {
// NOTE: For now, any authenticated user can read any project.
allow get, list: if request.auth != null;
allow create: if request.auth != null && request.resource.data.ownerId == request.auth.uid;
allow update: if isOwner(resource.data) || isAdmin();
allow delete: if isAdmin(); // Only admins can delete projects
}
// --- Models Collection ---
match /models/{modelId} {
allow create: if request.auth != null && request.resource.data.ownerId == request.auth.uid;
// Read if owner, public, or admin. List if authenticated (for queries).
allow get: if isOwner(resource.data) || resource.data.isPublic == true || isAdmin();
allow list: if request.auth != null;
allow update, delete: if isOwner(resource.data) || isAdmin();
}
// --- Agents Collection (Corrected) ---
match /agents/{agentId} {
function isAgentPublic() { return resource.data.isPublic == true; }
allow create: if request.auth.uid == request.resource.data.userId;
// Read if owner, public, or admin.
allow get: if isOwner(resource.data) || isAgentPublic() || isAdmin();
// List if authenticated. This is the key fix for the project details page.
allow list: if request.auth != null;
// Write if owner or admin, but don't let them change the owner.
allow update: if (isOwner(resource.data) || isAdmin()) && request.resource.data.userId == resource.data.userId;
allow delete: if isOwner(resource.data) || isAdmin();
// Agent Runs Subcollection (Kept simple for now)
match /runs/{runId} {
// This is legacy and can be tightened if needed
allow read, write: if request.auth != null;
}
}
// --- Chats Collection ---
match /chats/{chatId} {
// NOTE: For now, any authenticated user can interact with any chat.
// This will be restricted by project membership in a future iteration.
allow read, write: if request.auth != null;
// Messages Subcollection
match /messages/{messageId} {
// NOTE: Same as parent chat, open for now.
allow read, write: if request.auth != null;
}
}
// --- Gofannon Tool Manifest ---
match /gofannonToolManifest/{docId} {
allow read: if request.auth != null;
allow write: if isAdmin();
}
}
}