Configure firebase rules #36
Description
I have had a lot of trouble getting the rules set up as we need them. They are powerful, but really can't handle our special requirements, such as allowing anyone to increment purchase URI click counts.
At time of writing, I've left them in the best state I can, but naturally they will allow a few things we don't want to allow.
Requirements
I'll ignore managing users as they work separately to all this.
If you are logged in, you must be able to:
- create and update brands, categories and products
- create audit logs
If you are not logged in, you must be able to:
- update purchaseURIClicks in any product record
- create audit logs with a userType of "anonymous"
Audit logs must never be updated.
Problems
Some of the rules depend on specific values in the record, and which fields are being populated/updated.
The rules are such that if a rule returns "true", you can't have a more specific rule that overturns that and returns false.
It seems to be hard to test in a generic rule whether or not you're creating an auditLog.
The rule simulator is very hard to use. Eg you can't save your tests. You need to perform about 15 different tests to know the rules are working correctly.
Notes
For audit logs, I was trying to do this to say, "You can only create records, and you can only do it if either you're logged in or the userType is 'anonymous'", but it didn't seem to work:
"auditLog": {
"$auditLog": {
".write": "!data.exists() && (auth !== null || newData.child('userType').val() == 'anonymous')"
}
},