Firestore의
「규칙」 탭에 아래 내용을 그대로 붙여넣고
게시를 누릅니다.
(본인 계정의 데이터만 읽고 쓸 수 있게 하는 보안 규칙입니다)
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
function isTeamAdmin(teamId) {
let t = get(/databases/$(database)/documents/teams/$(teamId)).data;
return request.auth.uid == t.ownerUid
|| (('roles' in t) && t.roles[request.auth.uid] == 'admin');
}
match /users/{uid} {
allow read, write: if request.auth != null
&& request.auth.uid == uid;
}
// 초대 코드: 관리자가 발급/폐기, 코드를 아는 사람만 조회 가능
match /invites/{code} {
allow get: if request.auth != null;
allow list: if request.auth != null
&& isTeamAdmin(resource.data.teamId);
allow create: if request.auth != null
&& isTeamAdmin(request.resource.data.teamId);
allow delete: if request.auth != null
&& isTeamAdmin(resource.data.teamId);
}
match /teams/{teamId} {
allow read: if request.auth != null
&& request.auth.uid in resource.data.members;
// 새 장부(팀) 생성 금지: 초대 코드로만 참여 가능
allow create: if false;
allow update: if request.auth != null && (
request.auth.uid == resource.data.ownerUid
|| (('roles' in resource.data)
&& resource.data.roles[request.auth.uid] == 'admin')
// 유효한 초대 코드를 가진 사람의 자기 자신 추가만 허용
|| (request.resource.data.diff(resource.data)
.affectedKeys().hasOnly(['members', 'lastJoinCode'])
&& request.resource.data.members.diff(resource.data.members)
.affectedKeys().hasOnly([request.auth.uid])
&& get(/databases/$(database)/documents/invites/$(request.resource.data.lastJoinCode)).data.teamId == teamId)
|| (request.resource.data.diff(resource.data)
.affectedKeys().hasOnly(['nicknames']))
);
match /data/{doc} {
function member() { return request.auth != null
&& request.auth.uid in
get(/databases/$(database)/documents/teams/$(teamId)).data.members; }
function teamAdmin() {
let t = get(/databases/$(database)/documents/teams/$(teamId)).data;
return request.auth.uid == t.ownerUid
|| (('roles' in t) && t.roles[request.auth.uid] == 'admin'); }
allow read: if member();
allow write: if member() && (
doc != 'activity'
|| resource == null
|| teamAdmin()
|| request.resource.data.activity.size()
>= resource.data.activity.size()
);
}
}
match /ledgers/{uid} {
allow read, write: if request.auth != null
&& request.auth.uid == uid;
match /{document=**} {
allow read, write: if request.auth != null
&& request.auth.uid == uid;
}
}
}
}