firestore.rules

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /projects/{project} {

      function isInPublicGalleryOrIsCreator(uid, galleryID) {
        let gallery = get(/databases/$(database)/documents/galleries/$(galleryID)).data;
        return gallery != null && (gallery.public || uid in gallery.creators || uid in gallery.curators);
      }

      function isCuratorOfProjectInGallery(uid, galleryID) {
        let gallery = get(/databases/$(database)/documents/galleries/$(galleryID)).data;
        return gallery != null && (uid in gallery.curators);
      }

      allow create: if request.auth != null;
      // Projects are readable if:
      // 1) They are public
      // 2) The requestor is the owner or a collaborator
      // 3) The requestor is a curator or creator of the gallery that the project is in, so all gallery projects are readable.
      allow read: if 
        (resource.data != null && 'public' in resource.data && resource.data.public) || 
        (resource.data != null && request.auth != null && 
          ( 
            ("mod" in request.auth.token && request.auth.token.mod) ||
            ('owner' in resource.data && resource.data.owner == request.auth.uid) || 
            ('collaborators' in resource.data && request.auth.uid in resource.data.collaborators) || 
            ('gallery' in resource.data && resource.data.gallery != null && isInPublicGalleryOrIsCreator(request.auth.uid, resource.data.gallery))
          )
        );
      allow update: 
        if request.auth != null && 
          (
            resource.data.owner == request.auth.uid || 
            request.auth.uid in resource.data.collaborators || 
            ("mod" in request.auth.token && request.auth.token.mod) ||
            (resource.data.gallery != null && isCuratorOfProjectInGallery(request.auth.uid, resource.data.gallery))
          );
      allow delete: if request.auth != null && resource.data.owner == request.auth.uid;
    }
    match /creators/{uid} {
      allow read, write: if request.auth != null && request.auth.uid == uid;
    }
    match /galleries/{gallery} {
      allow create: if request.auth != null;
      allow read: if (resource.data != null && "public" in resource.data && resource.data.public) || (request.auth != null && (request.auth.uid in resource.data.curators || request.auth.uid in resource.data.creators));
      
      allow update: 
        if request.auth != null && 
          // Curators can update anything
          // Creators can't update public status or creator or curator list.
          (
            request.auth.uid in resource.data.curators || 
            (
              request.auth.uid in resource.data.creators && 
              request.resource.data.public == resource.data.public && 
              request.resource.data.curators == resource.data.curators && 
              request.resource.data.creators == resource.data.creators
            )
          );
      allow delete: if request.auth != null && request.auth.uid in resource.data.curators;
    }
    match /chats/{chat} {
      // Anyone logged in can create chats
      allow create: if request.auth != null;
      // Participants can read, update, and delete chats
      allow read, update, delete: if request.auth != null && (resource == null || (resource.data != null && request.auth.uid in resource.data.participants));
    }
    match /classes/{class} {
      function isTeacher() { 
        return "teacher" in request.auth.token && request.auth.token.teacher; 
      }

      // Only teachers can create classes
      allow create: if request.auth != null && isTeacher();
      // Students and teachers can read classes
      allow get: if request.auth != null && resource.data != null && (
        ("learners" in resource.data && request.auth.uid in resource.data.learners) || 
        ("teachers" in resource.data && request.auth.uid in resource.data.teachers)
      );
      allow list: if request.auth != null;
      // Only teachers of a class can update and delete classes
      allow update, delete: if request.auth != null && isTeacher() && (resource.data != null && request.auth.uid in resource.data.teachers);
    }
    match /characters/{character} {
      // Anyone logged in can create characters
      allow create: if request.auth != null;
      // Allowed if it doesn't exist or this is the owner asking, Owners or ownerless characters can be read
      allow read: 
        if resource == null ||
          ("public" in resource.data && resource.data.public) || 
          (request.auth != null && 
            (
              ("owner" in resource.data && request.auth.uid == resource.data.owner) ||
              ("collaborators" in resource.data && request.auth.uid in resource.data.collaborators)
            )
          );
      // Only owners can update or delete.
      allow update: if request.auth.uid == resource.data.owner || ("collaborators" in resource.data && request.auth.uid in resource.data.collaborators);
      allow delete: if request.auth.uid == resource.data.owner;
    }
    match /feedback/{id} {
      // Anyone can read feedback
      allow read: if true;
      // Anyone logged in can create feedback
      allow create: if request.auth != null;
      // Only the creator can read, update, or delete their feedback; anyone can vote on the feedback though
      allow update, delete: if request.auth != null && (request.auth.uid == resource.data.creator || ("mod" in request.auth.token && request.auth.token.mod) || request.resource.data.diff(resource.data).affectedKeys().hasOnly(["votes"]));
    }
  }
}