firestore.rules

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
  	// "get" and "list" fall under the "read" category
    // "create", "delete", and "update" fall under the "write" category
    
    function isAuthenticated() {
    	return request.auth.uid != null
    }

    function isAuthor() {
      return request.auth.uid == resource.data.authorID
    }

    function isHexColorValid(color) {
      return color is string && color.matches('#([a-fA-F0-9]{3}){1,2}')
    }

    function isNotEmpty(value) {
      return value is string && value.size() > 0
    }

    function isTimestampValid(ts) {
      return ts is timestamp
    }

    function isVisibilityValid(visibility) {
      return visibility is string && visibility in ['public', 'private']
    }

    match /groups/{groupID} {
      function isCreateGroupValid() {
        return isNotEmpty(request.resource.data.author) &&
          isNotEmpty(request.resource.data.authorID) &&
          isHexColorValid(request.resource.data.color) &&
          request.resource.data.markers is list &&
          isNotEmpty(request.resource.data.name) &&
          isTimestampValid(request.resource.data.tsCreated) &&
          request.auth.uid == request.resource.data.authorID
      }

      allow read: if isAuthenticated() && isAuthor()

      allow create: if isAuthenticated() && isCreateGroupValid()

      allow update: if isAuthenticated() && isAuthor() && isCreateGroupValid() && isTimestampValid(request.resource.data.tsUpdated)

      allow delete: if isAuthenticated() && isAuthor()
    }

    match /markers/{markerID} {
      function isCreateMarkerValid() {
        return isNotEmpty(request.resource.data.author) &&
          isNotEmpty(request.resource.data.authorID) &&
          request.resource.data.images is list &&
          request.resource.data.latLng != null &&
          isNotEmpty(request.resource.data.name) &&
          isTimestampValid(request.resource.data.tsCreated) &&
          isVisibilityValid(request.resource.data.visibility)
      }

      allow read: if isAuthenticated() && (isAuthor() || resource.data.visibility == 'public')

      allow create: if isAuthenticated() && isCreateMarkerValid()
      
      allow update: if isAuthenticated() && isCreateMarkerValid() && isTimestampValid(request.resource.data.tsUpdated)

      allow delete: if isAuthenticated() && isAuthor()
    }

    match /usernames/{username} {
      allow get: if true

      allow create: if isAuthenticated()

      allow update, delete: if isAuthenticated() && isAuthor()
    }
  }
}