firestore.rules

service cloud.firestore {

  match /databases/{database}/documents {

    function isSignedIn() {
      return request.auth.uid != null;
    }

    match /users/{user} {
      allow create: if isSignedIn();
      allow get: if isSignedIn();
      allow list: if isSignedIn() && get(/databases/$(database)/documents/users/$(request.auth.uid)).data.isAdmin;
      allow update, delete: if isSignedIn() && request.auth.uid == resource.data.uid;

      match /logins/{login} {
        allow read, write: if isSignedIn() && get(/databases/$(database)/documents/users/$(user)).data.uid == request.auth.uid;
      }
    }

    match /userStats/{user} {
      allow create, update: if isSignedIn();
      allow get, list: if true;
    }

    match /projects/{project} {
      allow create: if isSignedIn();
      allow get, list: if resource.data.type == 'public' || (isSignedIn() && (request.auth.uid in resource.data.access.admin || request.auth.uid in resource.data.access.readonly));
      allow update, delete: if isSignedIn() && request.auth.uid in resource.data.access.admin;

      function projectDoc() {
        return get(/databases/$(database)/documents/projects/$(project)).data
      }

      match /pings/{ping} {
        allow create: if isSignedIn();
        allow get, list: if resource.data.type == 'public' || request.auth.uid in projectDoc().access.admin || request.auth.uid in projectDoc().access.readonly;
        allow update, delete: if isSignedIn() && request.auth.uid in projectDoc().access.admin;
      }
    }

    match /repositories/{repository} {
      allow create: if false;
      allow get: if resource.data.private == false;
      allow list: if false;
      allow update: if false;
      allow delete: if false;
    }

    match /platform/stats {
      allow create: if false;
      allow get: if true;
      allow list: if false;
      allow update: if false;
      allow delete: if false;
    }
  }

}