firestore.rules

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {

    // helper functions
    function isEmailVerified(request) {
      return request.auth.token.email_verified;
    }

    function adminExists(businessID, adminID) {
      return exists(/databases/$(database)/documents/businesses/$(businessID)/admins/$(adminID));
    }

    function employeeExists(businessID, employeeID) {
      return exists(/databases/$(database)/documents/businesses/$(businessID)/employees/$(employeeID));
    }

    function getAdminBusinessID(businessID, adminID) {
      return get(/databases/$(database)/documents/businesses/$(businessID)/admins/$(adminID)).data.businessID;
    }

    function getUserBusinessID(userID) {
      return get(/databases/$(database)/documents/users/$(userID)).data.businessID;
    }


    // match admin documents during collectionGroup queries
    match /{path=**}/admins/{adminID} {
      // let admins read their own documents
      allow read: if request.auth.uid == resource.data.adminID;

      // don't let anyone update their admin document except through the backend
      allow write: if false;
    }

    // match employee documents during collectionGroup queries
    match /{path=**}/employees/{employeeID} {
      // let employees read their own documents
      allow read: if request.auth.uid == resource.data.employeeID;

      // don't let anyone update their admin document except through the backend
      allow write: if false;
    }


    // match business documents and their subcollections
    match /businesses/{businessID}/{document=**} {
      // let verified admins read the business doc they belong to
      allow read: if adminExists(businessID,request.auth.uid) || employeeExists(businessID,request.auth.uid);

      // don't let anyone write to business documents
      allow write: if false;

    }

    // don't let anyone read or write mail documents
    match /mail/{mailID} {
      allow read, write: if false;
    }
  }
}