firestore.rules

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /SERVERS/{serv} {
      allow list: if true;
    }

    function allowInputs(inputs) {
      return request.resource.data.keys().hasOnly(inputs);
    }

    function check(inputs) {
      return (
        request.resource.data.keys().hasOnly(inputs)
        && request.resource.data.keys().hasAll(inputs)
      );
    }

    function same(key) {
      return request.resource.data[key] == resource.data[key];
    }

    function getOwner(home) {
      return get(/databases/$(database)/documents/homes/$(home)).data.owner
    }

    match /relations/{relation} {
      function isOwner() {
        return getOwner(relation.split('@')[0]) == request.auth.uid;
      }

      function isAdmin() {
        return (
          isOwner()
          || get(/databases/$(database)/documents/relations/$(relation.split('@')[0] + '@' + request.auth.uid)).data.isAdmin == true
        );
      }

      function hasValidInvitation() {
        let exp = get(/databases/$(database)/documents/homes/$(request.resource.data.home)/invitations/$(request.resource.data.invitation)).data.expiresOn.split('-');
        return request.time.toMillis() < timestamp.date(int(exp[0]), int(exp[1]), int(exp[2])).toMillis();
      }

      function isAdminInHome(home) {
        return (
          get(/databases/$(database)/documents/homes/$(home)).data.owner == request.auth.uid
          || get(/databases/$(database)/documents/relations/$(home + '@' + request.auth.uid)).data.isAdmin == true
        );
      }

      // It's user's relation
      // or user is admin in home
      allow list, get: if (
        resource.data.user == request.auth.uid
        || isAdminInHome(resource.data.home)
      );

      allow create: if (
        resource == null
        && request.resource.data.user == request.auth.uid
        && relation == request.resource.data.home + '@' + request.resource.data.user
        && (
          (
            isOwner()
            && check(['home', 'user', 'displayName', 'isAdmin'])
            && request.resource.data.isAdmin != false
            && request.auth.token.email_verified
          ) || (
            hasValidInvitation()
            && check(['home', 'user', 'displayName', 'invitation'])
          )
        )
      );

      // If user is owner/admin of relation's home
      allow update: if (
        isAdmin()
        && allowInputs([
          'home', 'user', 'displayName', 'groups',
          'invitation', 'isAdmin', 'notifications'
        ])
        && same('home') && same('user')
        && !('invitation' in resource.data) || same('invitation')
      );

      // It is user's relation and user isn't owner of the home
      allow delete: if request.auth.uid == relation.split('@')[1] && !isOwner();

      // User is admin and deletes a user who isn't himself
      allow delete: if request.auth.uid != relation.split('@')[1] && isAdmin();

      // Home doesn't exists
      allow delete: if !exists(/database/$(database)/documents/homes/$(relation.split('@')[0]));
    }

    match /homes/{home} {
      function getHome() {
        return get(/databases/$(database)/documents/homes/$(home)).data;
      }

      function relation() {
        return get(/databases/$(database)/documents/relations/$(home + '@' + request.auth.uid)).data;
      }

      function isOwner() {
        return getHome().owner == request.auth.uid;
      }

      function isAdmin() {
        return isOwner() || relation().isAdmin == true
      }

      allow get: if true;
      allow create: if (
        resource == null
        && check(['icon', 'name', 'owner'])
        && request.auth.token.email_verified
        && request.resource.data.owner == request.auth.uid
        && home.matches('^([0-9]|[a-z])*$')
      );

      allow update: if (
        isAdmin()
        && check(['icon', 'name', 'owner', 'server'])
        && same('owner')
      );

      match /groups/{group} {
        allow read: if (
          group in relation().groups
          || isAdmin()
        );

        allow write: if (
          group.matches('^([0-9]|[a-z]|[A-Z])*$')
          && (
            request.method == 'delete'
            || (
              check(['name', 'displayName', 'pages'])
              && request.resource.data.name != 'global'
            )
          )
          && isAdmin()
        );
      }

      match /pages/{page} {
        allow get: if (
          page in get(/databases/$(database)/documents/homes/$(home)/groups/$(relation().groups[0])).data.pages
          || page in get(/databases/$(database)/documents/homes/$(home)/groups/$(relation().groups[1])).data.pages
          || page in get(/databases/$(database)/documents/homes/$(home)/groups/$(relation().groups[2])).data.pages
        );
        allow list: if isAdmin();
        allow write: if (
          page.matches('^([0-9]|[a-z]|[A-Z])*$')
          && isAdmin()
          && (check(['icon', 'name', 'content']) || request.method == 'delete')
        );
      }

      match /invitations/{invit} {
        allow list: if isAdmin();

        allow create, update: if (
          invit.matches('^([0-9]|[a-z]|[A-Z])*$')
          && isAdmin()
          && check(['name', 'createdOn', 'expiresOn'])
          && (request.method != 'update' || same('createdOn'))
        );

        allow delete: if isAdmin();
      }

      match /coordinators/main {
        allow get: if isAdmin();
        allow write: if (
          isAdmin()
          && check(['secret', 'createdDate', 'createdBy', 'lastDate'])
          && request.resource.data.createdBy == request.auth.uid
        );
      }
    }

    match /users/{userID} {
      match /pushTokens/{tokenID} {
        allow read, write: if request.auth.uid == userID;
      }
    }
  }
}