firestore.rules

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    match /projects/{project} {

      function isInPublicGalleryOrIsCreator(uid, galleryID) {
        let gallery = get(/databases/$(database)/documents/galleries/$(galleryID)).data;
        return gallery != null && (gallery.public || uid in gallery.creators || uid in gallery.curators);
      }

      function isCuratorOfProjectInGallery(uid, galleryID) {
        let gallery = get(/databases/$(database)/documents/galleries/$(galleryID)).data;
        return gallery != null && (uid in gallery.curators || uid in gallery.creators);
      }

      allow create: if request.auth != null;
      // Projects are readable if:
      // 1) They are public
      // 2) The requestor is the owner or a collaborator
      // 3) The requestor is a curator or creator of the gallery that the project is in, so all gallery projects are readable.
      allow read: if 
        ('public' in resource.data && resource.data.public) || 
        (request.auth != null && 
          ( 
            ("mod" in request.auth.token && request.auth.token.mod) ||
            ('owner' in resource.data && resource.data.owner == request.auth.uid) || 
            ('collaborators' in resource.data && request.auth.uid in resource.data.collaborators) || 
            ('gallery' in resource.data && resource.data.gallery != null && isInPublicGalleryOrIsCreator(request.auth.uid, resource.data.gallery))
          )
        );
      allow update: 
        if request.auth != null && 
          (
            resource.data.owner == request.auth.uid || 
            request.auth.uid in resource.data.collaborators || 
            ("mod" in request.auth.token && request.auth.token.mod) ||
            (resource.data.gallery != null && isCuratorOfProjectInGallery(request.auth.uid, resource.data.gallery))
          );
      allow delete: if request.auth != null && resource.data.owner == request.auth.uid;
    }
    match /creators/{uid} {
      allow read, write: if request.auth != null && request.auth.uid == uid;
    }
    match /galleries/{gallery} {
      allow create: if request.auth != null;
      allow read: if ("public" in resource.data && resource.data.public) || (request.auth != null && (request.auth.uid in resource.data.curators || request.auth.uid in resource.data.creators));
      
      allow update: 
        if request.auth != null && 
          // Curators can update anything
          // Creators can't update public status or creator or curator list.
          (
            request.auth.uid in resource.data.curators || 
            (
              request.auth.uid in resource.data.creators && 
              request.resource.data.public == resource.data.public && 
              request.resource.data.curators == resource.data.curators && 
              request.resource.data.creators == resource.data.creators
            )
          );
      allow delete: if request.auth != null && request.auth.uid in resource.data.curators;
    }
  }
}