firestore.rules

rules_version = '2';

// Prevent a field from being updated with a new value
function notUpdating(field) {
    return !(field in request.resource.data) || resource.data[field] == request.resource.data[field];
}

// [WRITE] Data that is sent to a Firestore document
// e.g incomingData().userId
// e.g isUser(incomingData().userId)
function incomingData() {
    return request.resource.data;
}

// [READ] Data that exists on the Firestore document
function existingData() {
    return resource.data;
}

function userExists() {
    return exists(/databases/$(database)/documents/users/$(request.auth.uid));
}

function isAuth() {
    return request.auth != null && request.auth.uid != null;
}

function isUser(uid) {
    return request.auth.uid == uid;
}

function isAdmin() {
    return isAuth() && request.auth.token.admin == true;
}

function isSuperAdmin() {
    return isAuth() && request.auth.token.super == true;
}

function isKycAuditor() {
    return isAuth() && request.auth.token.kycAuditor == true;
}

function userRoles(userId) {
    return get(/databases/$(database)/documents/users/$(userId)).data.roles;
}

service cloud.firestore {
    match /databases/{database}/documents {
        match /users/{userId} {
            allow read: if isUser(userId) || isAdmin() || isSuperAdmin();
            allow write: if isUser(userId) && notUpdating('admin') && notUpdating('super') && notUpdating('kycAuditor') || isAdmin() || isSuperAdmin();
            allow create: if isAuth();
        }

        match /admin/{database} {
            allow read: if true;
            allow update: if isAdmin() || isSuperAdmin();
            allow delete, create: if isSuperAdmin();
        }

        match /audit/{database} {
            allow read: if isSuperAdmin();
        }
  }
}