firestore.rules

rules_version = '2'

service cloud.firestore {
	match /databases/{database}/documents {
		match /users/{uid} {
			allow read
			allow create: if
				isSignedInWith(uid)
			allow update: if
				isSignedInWith(uid) ||
				onlyUpdatedFields(['allowContact']) ||
				onlyUpdatedFields(['unsubscribed', 'unsubscribed.due-cards'])
			
			match /blocked/{otherUid} {
				allow read, create, update
			}
			
			match /tokens/{token} {
				allow read, create, update: if
					isSignedInWith(uid)
			}
			
			match /activity/{day} {
				allow read
			}
			
			match /decks/{deckId} {
				allow read, write: if
					isSignedInWith(uid)
				
				match /drafts/{draftId} {
					allow read, write: if
						isSignedInWith(uid)
				}
				
				match /cards/{cardId} {
					allow read: if
						isSignedInWith(uid)
				}
			}
		}
		
		match /topics/{topicId} {
			allow read
		}
		
		match /decks/{deckId} {
			allow read
			allow create: if
				isSignedInAsDeckCreator(getNewData())
			allow write: if
				isSignedInAsDeckCreator(getOldData())
			
			match /sections/{sectionId} {
				allow read
				allow write: if
					isSignedInAsDeckCreator(getDeck(deckId))
			}
			
			match /cards/{cardId} {
				allow read
				allow write: if
					isSignedInAsDeckCreator(getDeck(deckId))
			}
		}
		
		match /counters/{counter} {
			allow read
		}
		
		match /previewDeckScores/{scoreId} {
			allow read, create
		}
		
		function isSignedIn() {
			return request.auth != null
		}
		
		function isSignedInWith(uid) {
			return isSignedIn() && request.auth.uid == uid
		}
		
		function getNewData() {
			return request.resource.data
		}
		
		function getOldData() {
			return resource.data
		}
		
		function onlyUpdatedFields(fields) {
			return getNewData().diff(getOldData()).affectedKeys().hasOnly(fields)
		}
		
		function getDeck(deckId) {
			return get(/databases/$(database)/documents/decks/$(deckId)).data
		}
		
		function isSignedInAsDeckCreator(deck) {
			return isSignedInWith(deck.creator)
		}
	}
}