firestore.rules

rules_version = '2';
service cloud.firestore {
	match /databases/{database}/documents {

		function authorizedPlaylist(playlistId) {
			return request.auth.uid != null
				&& request.auth.uid == get(/databases/$(database)/documents/filteredPlaylists/$(playlistId)).data.createdBy;
		}

		match /filteredPlaylists/{playlistId} {

			// Check if user created the current filtered playlist
			function isOgUser(compareTo) {
				return request.auth.uid != null
					&& request.auth.uid == compareTo;
			}

			allow create: if request.resource.data.keys().hasOnly(['createdBy', 'originId'])
				&& request.resource.data.originId != null
				&& isOgUser(request.resource.data.createdBy);
			allow update: if (
					request.resource.data.keys().hasOnly(['createdBy', 'originId'])
					// May have `createdAt` property if Firebase Function already triggered. If so, it should not have been modified.
					|| (
						request.resource.data.keys().hasOnly(['createdBy', 'originId', 'createdAt'])
						&& request.resource.data.createdAt == resource.data.createdAt
					)
				)
				&& request.resource.data.originId != null
				&& isOgUser(request.resource.data.createdBy)
				&& isOgUser(resource.data.createdBy);
			allow read, delete: if isOgUser(resource.data.createdBy);

			match /filteredSongs/{songId} {

				allow create, update: if request.resource.data.keys().hasOnly(['updatedBy', 'markedCriteria'])
					&& request.auth.uid == request.resource.data.updatedBy
					&& authorizedPlaylist(playlistId);
				allow read, delete: if authorizedPlaylist(playlistId);
			}
		}

		match /filterCriteria/{criteriaId} {

			allow create: if request.resource.data.keys().hasOnly(['playlistId', 'order', 'purpose', 'description'])
				&& authorizedPlaylist(request.resource.data.playlistId);
			allow update: if request.resource.data.keys().hasOnly(['playlistId', 'order', 'purpose', 'description'])
				&& authorizedPlaylist(resource.data.playlistId);
			allow read, delete: if authorizedPlaylist(resource.data.playlistId);
		}

		match /filterActions/{actionId} {

			allow create: if request.resource.data.keys().hasOnly(['playlistId', 'order', 'ifType', 'ifId', 'thenType', 'thenId'])
				&& authorizedPlaylist(request.resource.data.playlistId);
			allow update: if request.resource.data.keys().hasOnly(['playlistId', 'order', 'ifType', 'ifId', 'thenType', 'thenId'])
				&& authorizedPlaylist(resource.data.playlistId);
			allow read, delete: if authorizedPlaylist(resource.data.playlistId);
		}

	}
}