firestore.rules

service cloud.firestore {
  match /databases/{database}/documents {

    function isAdmin() {
    	return get(/databases/$(database)/documents/users/$(request.auth.uid)).data.isAdmin == true
    }

    function isModerator() {
    	return get(/databases/$(database)/documents/users/$(request.auth.uid)).data.isModerator == true
    }

    function isUser(uid) {
    	return request.auth.uid == uid
    }

    function isPublished() {
    	return resource.data.published == true
    }

    // anybody can read the photos but only admin can write
    match /photos/{photoId} {
      // allow read: if request.auth.uid != null;
      // allow read: if isModerator() || isAdmin() || resource.data.moderated != null;
      allow read: if isPublished() || isModerator()

      // allow create: if request.auth.uid != null;
			allow create: if true;

      allow update: if isModerator();

      // allow update: if resource.data.owner_id == request.auth.uid && resource.data.moderated=null

      allow write: if isAdmin();
    }

    // anybody can create a feedback but only login user can update
    // only moderator or admin can read and update the feedback
    match /feedbacks/{feedback} {

      allow create: if true;

      allow read: if isModerator() || isAdmin();
      allow update: if isModerator() || isAdmin();

      //allow update: if resource.data.owner_id == request.auth.uid

      // allow delete: if isModerator() || isAdmin();
    }

    // data written by admin
    match /users/{uid} {
    	allow read: if isAdmin() || isUser(uid);
      allow write: if isAdmin();
    }

    // Collection with system data. The Doc stats contains statistics.
    match /sys/stats {
      allow read: if true;
    }

    // some extra config
    match /sys/config {
      allow read: if true;
    }
  }
}