firestore.rules

service cloud.firestore {
  match /databases/{database}/documents {
    //--> Custom Functions
    function isAuthenticated() {
        return request.auth != null;
    }
    function isAdmin() {
        return isAuthenticated() && request.auth.token.isAdmin == true;
    }
    function isOwner(param) {
        return isAuthenticated() && request.auth.uid == param;
    }
    // Documents /languages/*/sessions/* can be updated with { likes } data
    function sessionLikeUpdate() {
      return resource.__name__ == /databases/$(database)/documents/languages/$(languageId)/sessions/$(entityId)
        && request.resource.data.keys().join('') == 'likes';
    }
    //<-- Custom Functions

    // Rules

    // Restrict access to all non-/languages/** collections for Admin only.
    match /{rootCollection}/{document=**} {
        allow read, write: if isAdmin() || (rootCollection == 'languages');
    }

    // Core data
    // 1) Admin can do Absolutely anything
    // 2) All can edit 'likes' in /languages/{lang}/sessions/{id}
    //    Note: Match cannot be used on a document property. Therefore payload
    //    body has to be checked. Tried to use `hasOnly`, but didn't work ,
    //    see https://firebase.google.com/docs/reference/rules/rules.List.html#hasOnly
    //    hasOnly - bugged solution:
    //      request.resource.data.keys().hasOnly(['likes']) == true
    match /languages/{languageId}/{entityCollection}/{entityId} {
        allow read, write: if isAdmin() || sessionLikeUpdate()
    }
    // Anyone can read anything
    match /languages/{langId=**} {
        allow read;
    }

    // User data
    // 1) owner can read and write
    // 2) anyone can read `isPublic=true` agendas
    match /userData/{userId} {
      allow read, write: if isOwner(userId);
    }
    match /userPrograms/{userId} {
      allow read: if isOwner(userId) || (resource != null && resource.data.isPublic == true);
      allow write: if isOwner(userId);
    }
  }
}