Open shresthabijay opened 2 years ago
Firebase cannot limit the number of entries in a collection. So it is not possible to limit using firebase security rules.
/user_invites/${userId}
. Only readable
by the owner user. /invites
. Make /invites
path non readable, but make/invites/${inviteCodeId}
readable. That means no user can see the full list, but any user with an invite code id can read data of that specific invite code data. Also, the invite code should be writable./user_invites/${userId}
and also creates entry in /invites
. This function should be guarded by id token./invites
. It also updates the claim in the user token.
In the current invite system, we have one single collection
/invites
that are readable and writeable by any user. Anyone with an app token can access and update the invites. This defeats the purpose of private invites. So we need the following things:/invites
.