[Security] : Replace Client-Side Hardcoded Admin Authorization with Server-Enforced Access Control

firestore.rules

@@ -0,0 +1,66 @@
+rules_version = '2';
+service cloud.firestore {
+  match /databases/{database}/documents {
+    // Helper function to check if the current user is an admin
+    function isAdmin() {
+      return request.auth != null &&
+             request.auth.token.email != null &&
+             exists(/databases/$(database)/documents/admins/$(request.auth.token.email.toLowerCase()));
+    }
+
+    // Rules for the admins collection
+    match /admins/{email} {
+      allow read: if request.auth != null && (request.auth.token.email.toLowerCase() == email.toLowerCase() || isAdmin());
+      allow write: if isAdmin();
+    }
+
+    // Rules for user profiles
+    match /profiles/{userId} {
+      allow read: if request.auth != null;
+      allow create, update: if request.auth != null && request.auth.uid == userId;
+      allow delete: if isAdmin();
+    }
+
+    // Rules for stories
+    match /stories/{storyId} {
+      allow read: if true;
+      allow create: if request.auth != null;
+      allow update: if request.auth != null && (request.auth.uid == resource.data.author_id || isAdmin());
+      allow delete: if isAdmin();
+    }
+
+    // Rules for reactions
+    match /reactions/{reactionId} {
+      allow read: if true;
+      allow create, update: if request.auth != null;
+      allow delete: if request.auth != null && (request.auth.uid == resource.data.user_id || isAdmin());
+    }
+
+    // Rules for reports
+    match /reports/{reportId} {
+      allow read: if isAdmin();
+      allow create: if request.auth != null;
+      allow update, delete: if isAdmin();
+    }
+
+    // Rules for ngos
+    match /ngos/{ngoId} {
+      allow read: if true;
+      allow write: if isAdmin();
+    }
+
+    // Rules for ngo_requests
+    match /ngo_requests/{requestId} {
+      allow read: if isAdmin();
+      allow create: if request.auth != null;
+      allow update, delete: if isAdmin();
+    }
+
+    // Rules for testimonials
+    match /testimonials/{testimonialId} {
+      allow read: if true;
+      allow create: if request.auth != null;
+      allow update, delete: if isAdmin();
+    }
+  }
+}

src/components/Navbar.tsx

@@ -1,23 +1,37 @@
 import { useEffect, useState } from 'react';
 import { Link, useNavigate, useLocation } from 'react-router-dom';
 import { Heart, Menu, X, Moon, Sun } from 'lucide-react';
-import { auth } from '../lib/firebase';
+import { auth, db } from '../lib/firebase';
 import { onAuthStateChanged } from 'firebase/auth';
+import { doc, getDoc } from 'firebase/firestore';
 import { toast } from 'react-hot-toast';
 import { useTheme } from '../context/ThemeContext';
 
-const ADMIN_EMAILS = ['safevoiceforwomen@gmail.com', 'piyushydv011@gmail.com', 'aditiraj0205@gmail.com'];
-
 export default function Navbar() {
   const [isMenuOpen, setIsMenuOpen] = useState(false);
   const [user, setUser] = useState<any>(null);
+  const [isAdmin, setIsAdmin] = useState(false);
   const [scrolled, setScrolled] = useState(false);
   const navigate = useNavigate();
   const location = useLocation();
   const { theme, toggleTheme } = useTheme();
 
   useEffect(() => {
-    const unsubscribe = onAuthStateChanged(auth, (currentUser) => setUser(currentUser));
+    const unsubscribe = onAuthStateChanged(auth, async (currentUser) => {
+      setUser(currentUser);
+      if (currentUser && currentUser.email) {
+        try {
+          const docRef = doc(db, 'admins', currentUser.email.toLowerCase());
+          const docSnap = await getDoc(docRef);
+          setIsAdmin(docSnap.exists());
+        } catch (error) {
+          console.error("Error checking admin status:", error);
+          setIsAdmin(false);
+        }
+      } else {
+        setIsAdmin(false);
+      }
+    });
     return () => unsubscribe();
   }, []);
 
@@ -35,8 +49,6 @@ export default function Navbar() {
     setIsMenuOpen(false);
   }, [location.pathname]);
 
-  const isAdmin = user && ADMIN_EMAILS.includes(user.email || '');
-
   const handleSignOut = async () => {
     try {
       await auth.signOut();

src/pages/AdminDashboard.tsx

@@ -5,6 +5,7 @@ import {
   collection,
   getDocs,
   doc,
+  getDoc,
   addDoc,
   deleteDoc,
   serverTimestamp,
@@ -18,10 +19,6 @@ import { useNavigate } from 'react-router-dom';
 import { toast } from 'react-hot-toast';
 import { CheckCircle, XCircle, Shield, Mail, Trash2, Flag } from 'lucide-react';
 
-// --- Authorization ---
-// Only users signed in with these emails can see this page.
-const ADMIN_EMAILS = ['safevoiceforwomen@gmail.com', 'piyushydv011@gmail.com', 'aditiraj0205@gmail.com'];
-
 const db = getFirestore();
 
 interface NGORequest {
@@ -67,10 +64,23 @@ export default function AdminDashboard() {
 
   // Check authorization and fetch data
   useEffect(() => {
-    const unsubscribe = auth.onAuthStateChanged(user => {
-      if (user && ADMIN_EMAILS.includes(user.email || '')) {
-        setIsAuthorized(true);
-        fetchAllAdminData();
+    const unsubscribe = auth.onAuthStateChanged(async (user) => {
+      if (user && user.email) {
+        try {
+          const docRef = doc(db, 'admins', user.email.toLowerCase());
+          const docSnap = await getDoc(docRef);
+          if (docSnap.exists()) {
+            setIsAuthorized(true);
+            fetchAllAdminData();
+          } else {
+            setIsAuthorized(false);
+            setLoading(false);
+          }
+        } catch (error) {
+          console.error("Error checking admin status:", error);
+          setIsAuthorized(false);
+          setLoading(false);
+        }
       } else {
         setIsAuthorized(false);
         setLoading(false);

src/pages/Resources.tsx

@@ -25,6 +25,7 @@ import {
   collection,
   deleteDoc,
   doc,
+  getDoc,
   getDocs,
   getFirestore,
   query,
@@ -34,12 +35,6 @@ import {
 
 const db = getFirestore();
 
-const ADMIN_EMAILS = [
-  "safevoiceforwomen@gmail.com",
-  "piyushydv011@gmail.com",
-  "aditiraj0205@gmail.com",
-];
-
 interface NGO {
   id: string;
   name: string;
@@ -285,6 +280,7 @@ export default function Resources() {
   const navigate = useNavigate();
 
   const [user, setUser] = useState(auth.currentUser);
+  const [isAdmin, setIsAdmin] = useState(false);
   const [ngos, setNGOs] = useState<NGO[]>([]);
   const [loadingNGOs, setLoadingNGOs] = useState(true);
 
@@ -300,14 +296,24 @@ export default function Resources() {
   const [loadingRequest, setLoadingRequest] = useState(false);
 
   useEffect(() => {
-    const unsubscribe = auth.onAuthStateChanged(setUser);
+    const unsubscribe = auth.onAuthStateChanged(async (currentUser) => {
+      setUser(currentUser);
+      if (currentUser && currentUser.email) {
+        try {
+          const docRef = doc(db, "admins", currentUser.email.toLowerCase());
+          const docSnap = await getDoc(docRef);
+          setIsAdmin(docSnap.exists());
+        } catch (error) {
+          console.error("Error checking admin status:", error);
+          setIsAdmin(false);
+        }
+      } else {
+        setIsAdmin(false);
+      }
+    });
     return () => unsubscribe();
   }, []);
 
-  const isAdmin = !!(
-    user && ADMIN_EMAILS.includes(user.email || "")
-  );
-
   useEffect(() => {
     const fetchNGOs = async () => {
       setLoadingNGOs(true);