firestore.rules

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
  	// Restaurants:
    //   - Authenticated user can read
    //   - Authenticated user can create/update (for demo)
    //   - Validate updates
    //   - Deletes are not allowed
    match /restaurants/{restaurantId} {
      allow read, create: if request.auth != null;
      allow update: if request.auth != null
                    && request.resource.data.name == resource.data.name
      allow delete: if false;
      
      // Ratings:
      //   - Authenticated user can read
      //   - Authenticated user can create if userId matches
      //   - Deletes and updates are not allowed
      match /ratings/{ratingId} {
        allow read: if request.auth != null;
        allow create: if request.auth != null
                      && request.resource.data.userId == request.auth.uid;
        allow update, delete: if false;
        
        }
    }
    
    // MealPlannerUsers:
    //		 - Anyone can read
    //		 - Authenticated users can create and edit their account
    // 		 - Deletes are not allowed
    match /mealPlannerUsers/{userID} {
      allow read: if true;
      allow create, update, write: if true;
      allow delete: if false;
      
      // Favs: 
      //		 - Anyone can read
      //		 - Authenticated users can create and edit their account
      // 		 - Deletes are not allowed
      match /favs/{favID} {
        allow read, create, update, write: if true;
        allow delete: if false;
      }
    }

    // Messages:
    //   - Anyone can read.
    //   - Authenticated users can add and edit messages.
    //   - Validation: Check name is same as auth token and text length below 300 char or that imageUrl is a URL.
    //   - Deletes are not allowed.
    match /messages/{messageId} {
      allow read;
      allow create, update: if request.auth != null
                    && request.resource.data.name == request.auth.token.name
                    && (request.resource.data.text is string
                      && request.resource.data.text.size() <= 300
                      || request.resource.data.imageUrl is string
                      && request.resource.data.imageUrl.matches('https?://.*'));
      allow delete: if false;
    }

    // FcmTokens:
    //    - anyone can save its token
    //    - access is forbidden
    match /fcmTokens/{tokenID} {
      allow write;
      allow read: if false;
    }
    // Users: DevBook app
    match /users/{userID} {
    	allow read,write :if true;
    }
  }
}