Scribd
Upload
27 views1 page

Code

The document outlines the access rules for an admin panel, specifying that only logged-in users can read and write to sections like dashboard stats, promo codes, and customer offers. It establishes stricter rules for the orders section, allowing admins to read all orders while customers can only create new orders if they match their user ID and do not already exist. Additionally, admins are permitted to update existing orders, with security checks primarily relying on user authentication.

Uploaded by

fandxynkfsfemvzgws
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
27 views1 page

Code

The document outlines the access rules for an admin panel, specifying that only logged-in users can read and write to sections like dashboard stats, promo codes, and customer offers. It establishes stricter rules for the orders section, allowing admins to read all orders while customers can only create new orders if they match their user ID and do not already exist. Additionally, admins are permitted to update existing orders, with security checks primarily relying on user authentication.

Uploaded by

fandxynkfsfemvzgws
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 1

{

"rules": {
// Admin-only sections. Only a logged-in user can access them.
// We assume only the admin panel code writes here, so auth check is enough.
"dashboard_stats": {
".read": "auth != null",
".write": "auth != null"
},
"promoCodes": {
".read": "auth != null",
".write": "auth != null"
},
"customerOffers": {
".read": "auth != null",
".write": "auth != null"
},

// Orders Section (Stricter Rules)


"orders": {
// Admin can read all orders.
".read": "auth != null",

// Rules for individual orders


"$orderId": {
// A customer can create a new order for themselves.
// Rule: A new order can be written only if it doesn't exist yet,
// and the customerId in the new data matches the logged-in user's UID.
".write": "auth != null && (!data.exists() &&
newData.child('customerId').val() == auth.uid)",

// Admin can update an existing order (e.g., change status).


// Rule: An admin can write to an existing order.
// (We rely on the Firestore role check from the client-side for admin
identification,
// as RTDB cannot directly read Firestore rules easily.
// The `auth != null` check is the primary security here).
".write": "auth != null"
}
}
}
}

You might also like