firestore.rules.WiP

// WiP - CC - 2020-02-24
// As part of future security update will make better use of firestore rules, as stubbed out below
// Note - will also need to include any legacy revisions as required

service cloud.firestore {
	// rules will apply to all docs in database
  match /databases/{database}/documents {
    // Function to check whether request user has specific permission set in user database
    function hasUserRole(username,role){
      // TODO - look up a profile to see if the user has specific role (e.g. admin)
      // NOTE - this is not currently possible as the username is not sent with a request
      // but could be made possible by setting the firebase auth name to the username
      // and ensuring all users had a userRoles property
      // NOTE 2 - possible code below but would need testing (https://firebase.google.com/docs/reference/rules/rules.List)
      // return role in get(/databases/$(database)/documents/v3_users/$(username)).data.userRoles
      return true
    }
		// Function to check if request to modify a document is by the auth owner
    function isSameUser(username){
      return get(/databases/$(database)/documents/v3_users/$(username)).data._authID==request.auth.uid
    }
    match /v3_users/{username} {
    allow read, write: if hasUserRole('admin')
    allow read,write
    }
		// users can read/write their own user docs    
    match /v3_users/{username} {
    allow read, write: if isSameUser(username)
    }
	}
}