firestore.rules

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    
    function isEboard(userId) {
      return get(/databases/$(database)/documents/users/$(userId)).data.roles.eboard == true;
    }
    
    function isRecruitment(userId) {
      return get(/databases/$(database)/documents/users/$(userId)).data.roles.recruitmentteam == true;
    }
    
    function isAdmin(userId) {
    	return get(/databases/$(database)/documents/users/$(userId)).data.roles.admin == true;
    }
  
    match /website/{document=**} {
      allow read: if true;
      allow write: if isAdmin(request.auth.uid) || isEboard(request.auth.uid);
    }
    match /users/{userId} {
      allow read: if true;
      allow write: if isAdmin(request.auth.uid) || isEboard(request.auth.uid) || (request.auth.uid == userId);
    }
    
    match /inquisitor/{document=**} {
    	allow read: if request.auth != null;
      
      match /generalSettings {
      	allow write: if isAdmin(request.auth.uid) || isEboard(request.auth.uid);
      }
      
      match /applicationFormConfig {
      	allow write: if isAdmin(request.auth.uid) || isEboard(request.auth.uid);
      }
      
      match /levelConfig {
      	allow write: if isAdmin(request.auth.uid) || isEboard(request.auth.uid);
      }
      
      match /data/questions/{question} {
      	allow write: if isAdmin(request.auth.uid) || isEboard(request.auth.uid);
      }
      
      match /data/applications/{applicationId} {
      	allow write: if isRecruitment(request.auth.uid) || isAdmin(request.auth.uid) || isEboard(request.auth.uid)|| (request.auth.uid == applicationId);
      }
      
      
      match /data/timeslots/{timeslot} {
        allow write: if request.resource == null || request.resource.data.time is number;
      }
    }
    
    match /config/{document=**} {
    	allow read: if true;
      allow write: if isAdmin(request.auth.uid) || isEboard(request.auth.uid);
    }
    
    match /uids/{document=**} {
      allow read: if true;
    	allow write: if isAdmin(request.auth.uid) || isEboard(request.auth.uid);
    }
    
    // service accounts can still read when it's set to false
    // this way normal users can't access session data but Authenticator can
    match /authSessions/{document=**} {
    	allow read, write: if false;
    }
  }
}