Last active
June 27, 2019 23:58
-
-
Save InputNeuron/3e191159d943d15e59ec5880493e931e to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function hasUserGroup() { | |
| return exists(/databases/$(database)/documents/user_group/$(request.auth.uid)); | |
| } | |
| function getUserGroup() { | |
| return get(/databases/$(database)/documents/user_group/$(request.auth.uid)); | |
| } | |
| function isPermittedGroupWithinSet(allowedGroups, groups) { | |
| return allowedGroups != null && allowedGroups.hasAny(groups); | |
| } | |
| function isPermittedGroup(groupID) { | |
| return hasUserGroup() && | |
| isPermittedGroupWithinSet(getUserGroup().data.groups, [groupID]) || | |
| isPermittedGroupWithinSet(getUserGroup().data.invitations, [groupID]); | |
| } | |
| /** | |
| */ | |
| function isPermittedGroups(groups) { | |
| return hasUserGroup() && | |
| isPermittedGroupWithinSet(getUserGroup().data.groups, groups) || | |
| isPermittedGroupWithinSet(getUserGroup().data.invitations, groups); | |
| } | |
| function existsGroup() { | |
| return exists(/databases/$(database)/documents/group/$(resource.data.groupID)); | |
| } | |
| function getGroup() { | |
| return get(/databases/$(database)/documents/group/$(resource.data.groupID)); | |
| } | |
| // allows us to lookup the group by group_id and see if the visibility allows | |
| // access or if the user is already in the group as a member. | |
| // we can read/write if the group is public | |
| allow read: if existsGroup() && ['public', 'protected'].hasAny([getGroup().data.visibility]); | |
| // only allow members of this group to read which documents are | |
| // contained here. Writes are not allowed because they are implemented | |
| // via a cloud hook. | |
| allow read: if existsGroup() && isPermittedGroup(resource.data.groupID); | |
| // allow write if the user is the owner by looking at their profileID. | |
| allow write: if hasProfileID() && getProfileID() == resource.data.profileID; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment