firestore.rules

rules_version = '2';
service cloud.firestore {
	match /databases/{database}/documents {
		match /users/{userId} {
			allow read: if authUidMatchesNoVerification(userId);
		}
		match /reading/{userId} {
			allow read: if authUidMatches(userId);
			allow create, update: if authUidMatches(userId)
				&& request.resource.data.size() == 1
				&& (request.resource.data.last_read_message == null || isMessage(request.resource.data.last_read_message));
		}
		match /rooms/{domain} {
			allow get: if isMyDomain(domain);
			allow list: if isAdmin();

			match /members/{userId} {
				allow read: if isMyDomain(domain);
			}
			match /reports/{uid} {
				allow create: if isMyDomain(domain)
					&& request.resource.data.report_author.uid == request.auth.uid
					&& exists(/databases/$(database)/documents/users/$(request.resource.data.message_author.uid))
					&& request.resource.data.moderation == 'pending';
			}
		}
		match /chats/{domain} {
			allow get: if isMyDomain(domain);
			allow update: if isMyDomain(domain)
				&& (request.resource.data.size() == 2 || request.resource.data.size() == 3)
				&& request.resource.data.messages != null
				&& request.resource.data.reactions != null;
		}
		match /{path=**}/reports/{uid} {
        	allow read, write: if isAdmin();
        }
		match /stats/{domain} {
			allow read: if isAdmin();
		}


		function authUidMatches(uid) {
			return isVerified() && request.auth != null && request.auth.uid == uid;
		}
		function authUidMatchesNoVerification(uid) {
			return request.auth != null && request.auth.uid == uid;
		}
		function isVerified() {
			return (request.auth != null && request.auth.token.email_verified == true) || exists(/databases/$(database)/documents/users/$(request.auth.uid));
		}
		function isMyDomain(domain) {
			return isVerified() && ("domain" in request.auth.token && request.auth.token.domain == domain) || (get(/databases/$(database)/documents/users/$(request.auth.uid)).data.domain == domain);
		}
		function isAdmin() {
			return isVerified() && request.auth != null && request.auth.token.admin == true;
		}

		function isMessage(message) {
			return message.uid is string
				&& message.author is string
				&& message.createdAt is timestamp
				&& message.content is string;
		}
	}
}