firestore.rules

rules_version = '2';
service cloud.firestore {
    match /databases/{database}/documents {

        // Common
        function authenticated() { return request.auth.uid != null; }

        function eventData(eventId) { return get(/databases/$(database)/documents/events/$(eventId)).data; }
        function isAdmin(data) { return data.owner == request.auth.uid || request.auth.uid in data.members;}
        function isSuperAdmin(userId) { return exists(/databases/$(database)/documents/admins/users/admins/$(userId)); }

        match /events/{eventId} {
            allow read: if authenticated() && (isAdmin(resource.data) || isSuperAdmin(request.auth.uid));
            allow create: if authenticated();
            allow write: if authenticated() && isAdmin(resource.data);

            match /sessions/{sessionId} {
                allow read: if authenticated() && isAdmin(eventData(eventId));
                allow write: if authenticated() && isAdmin(eventData(eventId));
            }
            match /sessionsTemplate/{sessionId} {
                allow read: if authenticated() && isAdmin(eventData(eventId));
                allow write: if authenticated() && isAdmin(eventData(eventId));
            }
            match /speakers/{speakerId} {
                allow read: if authenticated() && isAdmin(eventData(eventId));
                allow write: if authenticated() && isAdmin(eventData(eventId));
            }
            match /sponsors/{sponsorId} {
                allow read: if authenticated() && isAdmin(eventData(eventId));
                allow write: if authenticated() && isAdmin(eventData(eventId));
            }
            match /team/{memberId} {
                allow read: if authenticated() && isAdmin(eventData(eventId));
                allow write: if authenticated() && isAdmin(eventData(eventId));
            }
            match /faq/{category=**} {
                allow read: if authenticated() && isAdmin(eventData(eventId));
                allow write: if authenticated() && isAdmin(eventData(eventId));
            }
            match /schedule/{scheduleId} {
                allow read: if authenticated() && isAdmin(eventData(eventId));
                allow write: if authenticated() && isAdmin(eventData(eventId));
            }
        }

        match /admins/users/admins/{userId} {
        	allow read: if authenticated() && isSuperAdmin(request.auth.uid);
            allow write: if false;
            allow create: if false;
        }

    }
}