rules documentation

README.md

@@ -15,14 +15,16 @@ supported. More coming soon, for comprehensive list see ROADMAP.md.
 
 ![Firetable screenshot](https://firetable.io/demo-screenshot.png)
 
-
 ## Setup instructions
 
 ### 1. Create a Firebase project [(Instructions)](https://console.firebase.google.com/u/0/)
 
 - Create a Firestore database
 - Set up Firestore Security Rules: use Test Mode or set up required permissions.
-  Below are sample rules that allow for unlimited access to the entire database:
+
+  Below are sample rules that allow for unlimited access to the entire database
+  just for quick testing purpose:
+
   ```
   rules_version = '2';
   service cloud.firestore {
@@ -33,6 +35,9 @@ supported. More coming soon, for comprehensive list see ROADMAP.md.
     }
   }
   ```
+
+  [Or follow this guide for setting up you rules](RULES.md)
+
 - Upgrade project to the Blaze Plan
 - Enable the Google sign-in method in **Authentication / Sign-in method**
 

ROADMAP.md

@@ -68,7 +68,7 @@
 - Locked columns ✅
 - Table view only mode
 - SubCollection tables ✅
-- Permissions
+- Permissions✅
 - Duplicate columns
 - Filter columns:✅
   - equals to✅

RULES.md

@@ -0,0 +1,81 @@
+# Firetable Rules
+
+Firetable uses a Role based access control on top of firestore rules you
+
+## Firestore Rules Base
+
+```
+rules_version = '2'
+service cloud.firestore {
+   match /databases/{database}/documents {
+      match /{document=**} {
+         // this is gives full rights to users with an admin role
+         allow read, write: if hasRole("ADMIN")
+      }
+      match /_FIRETABLE_/settings {
+
+        // specify the roles that have access firetable configuration
+        // this allows users to view tables and columns on firetable but without the ability to modify them
+         allow read: if hasAnyRole(["INTERNAL"])
+         match /{collection=**}/{tableName} {
+            allow read: if hasAnyRole(["INTERNAL"])
+         }
+      }
+
+      match /_FT_USERS/{docId} {
+        // allows to store firetable user customizations such as filters and favorite tables
+         allow get, update, create, write:if isOwner(docId)
+      }
+
+      // utility functions
+      function hasRole(role) {
+         return role in request.auth.token.roles
+      }
+      function hasAnyRole(roles) {
+         return request.auth.token.roles.hasAny(roles)
+      }
+      function isOwner(docId) {
+        // turns a boolean for if the authenticated user has the same uid as the resource document id
+         return request.auth.uid == resource.id || request.auth.uid == docId
+      }
+   }
+}
+
+```
+
+## Custom claims
+
+The firetable roles are stored in the users firebase auth token custom claims
+
+[(firebase auth Docs)](https://firebase.google.com/docs/auth/admin/custom-claims)
+
+### setting roles
+
+this a basic script for setting your user roles. you can run this locally using
+the adm sdk or implement it in your cloud functions
+
+```js
+import * as admin from "firebase-admin";
+//set your project id
+const projectId = "YOUR FIREBASE PROJECT ID HERE";
+console.log(`Running on ${projectId}`);
+// you can get the admin sdk service account key from the url bellow, remember to add your project Id
+//https://console.firebase.google.com/u/0/project/{{PORJECT_ID}}/settings/serviceaccounts/adminsdk
+var serviceAccount = require(`./firebase-service-account.json`);
+admin.initializeApp({
+  credential: admin.credential.cert(serviceAccount),
+  databaseURL: `https://${projectId}.firebaseio.com`,
+});
+// Initialize Auth
+export const auth = admin.auth();
+
+// sets the custom claims on an account to the claims object provided
+const setClaims = async (email, claims) => {
+  const user = await auth.getUserByEmail(email);
+  auth.setCustomUserClaims(user.uid, claims);
+};
+
+setClaims("enter your email", {
+  roles: ["ADMIN"],
+});
+```