firestore.rules

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {

    function isSignedIn() {
      return request.auth.uid != null;
    }

    function hasRole(role) {
      let roles = {"admin": 1, "writer": 2};
      return isSignedIn() && roles[role] == get(/databases/$(database)/documents/sensitive-user-data/$(request.auth.token.email)).data.role;
    }

    function isDataOwner() {
      return resource.data.uID == request.auth.uid;
    }

    match /blog-entries/{document=**}  {
      allow read: if resource.data.listed == true || hasRole("writer") || hasRole("admin");
      allow write: if hasRole("writer") || hasRole("admin");
    }

    match /events/{document=**} {
    	allow read;
      allow write: if hasRole("admin");
    }

    match /collection-metadata/{document=**}   {
      allow read;
      allow write: if hasRole("admin");
    }

    match /team/{document=**}  {
      allow read;
      allow write: if hasRole("admin");
    }

    match /users/{document=**}  {
    	allow get, update, delete: if isDataOwner() || hasRole("admin");
      allow list: if hasRole("admin");
      // Solo puede crear el objeto usuario si el id del usuario en el body corresponde con el id del usuario en el token
      allow create: if isSignedIn() && request.resource.data.uID == request.auth.uid;
    }

    match /sensitive-user-data/{document=**} {
      allow read, write: if hasRole("admin");
    }
  }
}