Skip to content

Firestore Security Rules

Copy these rules to Firebase Console → Firestore → Rules.

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {

    // =========================================================================
    // USERS
    // =========================================================================
    // - Anyone authenticated can READ (for leaderboard)
    // - Only the user can WRITE their own document
    // =========================================================================
    match /users/{userId} {
      allow read: if request.auth != null;
      allow write: if request.auth != null && request.auth.uid == userId;

      // Notifications subcollection - user's own only
      match /notifications/{notificationId} {
        allow read, write: if request.auth != null && request.auth.uid == userId;
      }
    }

    // =========================================================================
    // OFFERS
    // =========================================================================
    // - Anyone authenticated can READ
    // - Only admins can WRITE
    // =========================================================================
    match /offers/{offerId} {
      allow read: if request.auth != null;
      allow write: if request.auth != null && 
                      get(/databases/$(database)/documents/users/$(request.auth.uid)).data.isAdmin == true;
    }

    // =========================================================================
    // ANNOUNCEMENTS
    // =========================================================================
    // - Anyone authenticated can READ
    // - Only admins can WRITE
    // =========================================================================
    match /announcements/{announcementId} {
      allow read: if request.auth != null;
      allow write: if request.auth != null && 
                      get(/databases/$(database)/documents/users/$(request.auth.uid)).data.isAdmin == true;
    }

    // =========================================================================
    // KIOSKS
    // =========================================================================
    // - Anyone authenticated can READ
    // - Only admins can WRITE (API uses admin SDK, bypasses rules)
    // =========================================================================
    match /kiosks/{kioskId} {
      allow read: if request.auth != null;
      allow write: if request.auth != null && 
                      get(/databases/$(database)/documents/users/$(request.auth.uid)).data.isAdmin == true;
    }

    // =========================================================================
    // TRANSACTIONS
    // =========================================================================
    // - Anyone authenticated can READ
    // - Anyone authenticated can WRITE (API creates transactions)
    // =========================================================================
    match /transactions/{transactionId} {
      allow read: if request.auth != null;
      allow write: if request.auth != null;
    }
  }
}

Notes

Admin Access

To make a user an admin: 1. Go to Firestore Console 2. Find the user document in users collection 3. Add field: isAdmin: true

API Access

The PHP API uses Firestore REST API without authentication rules (it accesses public endpoints). For production, consider: 1. Using Firebase Admin SDK 2. Adding service account authentication 3. Restricting REST API access

Testing Rules

Use Firebase Console → Firestore → Rules Playground to test rules before deploying.