ultralab/firestore.rules at master · ppcvote/ultralab · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
rules_version = '2';

service cloud.firestore {
  match /databases/{database}/documents {
    match /inquiries/{docId} {
      // Anyone can create an inquiry (contact form)
      allow create: if
        request.resource.data.keys().hasAll(['name', 'email', 'service']) &&
        request.resource.data.name.size() > 0 &&
        request.resource.data.name.size() < 200 &&
        request.resource.data.email.size() > 0 &&
        request.resource.data.email.size() < 200 &&
        request.resource.data['service'].size() > 0 &&
        ('message' in request.resource.data ? request.resource.data['message'].size() < 5000 : true);

      // Admin can read and update inquiries
      allow read, update: if request.auth != null
        && request.auth.token.email == '[email protected]';

      allow delete: if false;

      // Email records subcollection
      match /emails/{emailId} {
        allow read, create: if request.auth != null
          && request.auth.token.email == '[email protected]';
        allow delete, update: if false;
      }
    }

    // Products — anyone can read active products
    match /products/{productId} {
      allow read: if true;
      allow write: if request.auth != null
        && request.auth.token.email == '[email protected]';
    }

    // Orders — anyone can create, admin can read/update
    match /orders/{orderId} {
      allow create: if
        request.resource.data.keys().hasAll(['items', 'totalAmount', 'customer', 'status']) &&
        request.resource.data.status == 'pending' &&
        request.resource.data.totalAmount is number &&
        request.resource.data.totalAmount > 0;

      allow read, update: if request.auth != null
        && request.auth.token.email == '[email protected]';

      allow delete: if false;
    }

    // UltraProbe — server-side only (via firebase-admin)
    match /rate_limits/{docId} {
      allow read, write: if false;
    }

    match /probe_leads/{docId} {
      allow read, write: if false;
    }

    match /counters/{counterId} {
      allow read, write: if false;
    }

    // UltraProbe API — server-side only
    match /api_keys/{keyId} {
      allow read, write: if false;
    }

    match /api_usage/{keyId}/{document=**} {
      allow read, write: if false;
    }

    match /vulnerability_database/{scanId} {
      allow read, write: if false;
    }

    // Agent activity — public read (displayed on /agent page)
    // Write: server-side only via Admin SDK (sync script)
    match /agent-activity/{docId} {
      allow read: if true;
      allow write: if false;
    }

    // Atlas guestbook — public read + create (anonymous visitor comments
    // on each pin during Min Yi's Germany trip). Validated and rate-shaped
    // by client; no update/delete from client.
    match /atlas-guestbook/{pinId}/messages/{msgId} {
      allow read: if true;
      allow create: if
        request.resource.data.keys().hasAll(['text', 'createdAt']) &&
        request.resource.data.text is string &&
        request.resource.data.text.size() > 0 &&
        request.resource.data.text.size() <= 280 &&
        ('name' in request.resource.data ? request.resource.data.name.size() <= 30 : true);
      allow update, delete: if false;
    }

    // Allow collectionGroup query across all pins' messages — needed for the
    // "全站最新留言" widget that aggregates guestbook entries from every pin.
    // Read-only; writes still go through the per-pin rule above.
    match /{path=**}/messages/{msgId} {
      allow read: if true;
    }

    // Atlas subscribers — public create only (visitor email signup for
    // daily digest). Server-only read via Admin SDK.
    match /atlas-subscribers/{subId} {
      allow read, update, delete: if false;
      allow create: if
        request.resource.data.keys().hasAll(['email', 'createdAt']) &&
        request.resource.data.email is string &&
        request.resource.data.email.matches('^[^@\\s]+@[^@\\s]+\\.[^@\\s]+$') &&
        request.resource.data.email.size() <= 254;
    }

    // Atlas spotify (refresh_token) — server-side only via Admin SDK (legacy)
    match /atlas/{docId} {
      allow read, write: if false;
    }

    match /{document=**} {
      allow read, write: if false;
    }
  }
}