Currently when verifying security rules for a card who is having its inbound links updated, all we check is that the edits are to only references_inbound and references_info_inbound. That prevents egregious problems but ideally would be tightened to add two additional things:
1) Verify, for each otherCardID that is changed in references_inbound, (that is, the card that has changed, and where our inbound links are being updated in response to), that the current user has edit access. The first bit of code to get the IDs is:
let modifiedCardIDs = request.resource.data.get('references_inbound', {}).diff(resource.data.get('references_inbound', {})).changedKeys();
Unfortunately, there is no way to loop through each item in the set, OR to convert the set to a list and then manually unroll the loop (e.g. ``...(!modifiedCardIDs[2] || userMayEditCard(modifiedCardIDs[2])) ...).
2) Verify that the same batch/transcation also ADDs (or removes) the reference on the other document, using getAfter to get the state of the other document and verify that it has the matching reference set (or not set).
I can't think of a way to actually accomplish either of these given firestore security rules limitations, but keeping track just in case that becomes possible later.
Originally part of #585.
Currently when verifying security rules for a card who is having its inbound links updated, all we check is that the edits are to only
references_inboundandreferences_info_inbound. That prevents egregious problems but ideally would be tightened to add two additional things:1) Verify, for each otherCardID that is changed in
references_inbound, (that is, the card that has changed, and where our inbound links are being updated in response to), that the current user has edit access. The first bit of code to get the IDs is:Unfortunately, there is no way to loop through each item in the set, OR to convert the set to a list and then manually unroll the loop (e.g.
``...(!modifiedCardIDs[2] || userMayEditCard(modifiedCardIDs[2])) ...).2) Verify that the same batch/transcation also ADDs (or removes) the reference on the other document, using getAfter to get the state of the other document and verify that it has the matching reference set (or not set).
I can't think of a way to actually accomplish either of these given firestore security rules limitations, but keeping track just in case that becomes possible later.