firestore.rules

rules_version = '2';
service cloud.firestore {
    match /databases/{database}/documents {

        // General rule for all documents to be readable/writable by authenticated users
        match /{document=**} {
            allow read, write: if request.auth != null;
        }

        // Specific rules for the organisations collection
        match /organisations/{organisationId} {
            // Only Administrator can create or modify organisations
            allow write: if request.auth.token.role == 'Administrator';

            // Allow read if the user is an administrator or belongs to the organisation
            allow read: if request.auth.token.role == 'Administrator'
                || request.auth.token.organisationId == organisationId;

            // Public drink cards: Allow read access to active drink cards without authentication
            match /properties/{propertyId}/drinkCards/{drinkCardId} {
                allow read: if true;
            }
        }
    }
}