krakenscores/firestore.rules at main · gitobic/krakenscores · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
  rules_version = '2';
  service cloud.firestore {
    match /databases/{database}/documents {

      // Helper functions
      function isSignedIn() {
        return request.auth != null;
      }

      function isAdmin() {
        return isSignedIn() &&
               exists(/databases/$(database)/documents/admins/$(request.auth.uid));
      }

      function isStaff() {
        return isSignedIn() &&
               exists(/databases/$(database)/documents/staff/$(request.auth.uid));
      }

      // Public read for all tournament data (anyone can view scores)
      // Only admins can write
      match /tournaments/{tournamentId} {
        allow read: if true;
        allow write: if isAdmin();
      }

      match /clubs/{clubId} {
        allow read: if true;
        allow write: if isAdmin();
      }

      match /divisions/{divisionId} {
        allow read: if true;
        allow write: if isAdmin();
      }

      match /teams/{teamId} {
        allow read: if true;
        allow write: if isAdmin();
      }

      match /pools/{poolId} {
        allow read: if true;
        allow write: if isAdmin();
      }

      match /matches/{matchId} {
        allow read: if true;
        // Staff can update scores and status only
        allow update: if isStaff() &&
          request.resource.data.diff(resource.data).affectedKeys()
            .hasOnly(['darkTeamScore', 'lightTeamScore', 'status', 'period', 'updatedAt']);
        // Admins have full write access
        allow create, delete: if isAdmin();
        allow update: if isAdmin();
      }

      match /scheduleBreaks/{breakId} {
        allow read: if true;
        allow write: if isAdmin();
      }

      match /announcements/{announcementId} {
        allow read: if true;
        allow write: if isAdmin();
      }

      match /standings/{standingId} {
        allow read: if true;
        allow write: if isAdmin();
      }

      // Admin list - CRITICAL: Only admins can read this
      // Nobody can write (manual setup only via Firebase Console)
      match /admins/{userId} {
        allow read: if isAdmin();
        allow write: if false;  // Prevent any writes via app
      }

      // Staff list - Only admins can read this
      // Nobody can write (manual setup only via Firebase Console)
      match /staff/{userId} {
        allow read: if isAdmin();
        allow write: if false;  // Prevent any writes via app
      }
    }
  }