permissions.bolt

// permissions.bolt
//
// Design goals:
//
// - All logged in user can get a list of users
// - Only admin can create
// - Only admin or currentUser can update or delete
//
// - Only admin can write roles
//
// - Any logged in user can get a list of projects
// - Any logged in user can create a project
// - Only admin can update a project
// - No one can delete a project
//
// See https://www.firebase.com/docs/security/guide/user-security.html

path /users {
  read() {
    isSignedIn()
  }
  /{uid} {
    /profile {
      create() {
        isAdmin()
      }

      update() {
        isAdmin() || isCurrentUser(uid)
      }

      delete() {
        isAdmin() || isCurrentUser(uid)
      }
    }

    /roles {
      write() { isAdmin() }
    }
  }
}

path /projects {
  read() { isSignedIn() }

  /{project_id} {
    read() { isSignedIn() }
    create() { isSignedIn() }
    update() { isAdmin() || isProjectAdmin(project_id) }
    delete() { false }

    /members {
      write() { isAdmin() } 
    }

    /modules {
      write() { isAdmin() } 
    }
  }
}

//
// Helper Functions
//
isCurrentUser(id) { auth != null && auth.uid == id }
isSignedIn() { auth != null }
isAdmin() { auth != null && root.users[auth.uid].roles.admin == true }
adminCanUpdate() { auth != null && root.projects[project_id].members[auth.uid].isAdmin == true }
isProjectAdmin(project_id) { auth != null && root.projects[project_id].members[auth.uid].isAdmin == true }
isProjectMember(project_id) { root.projects[project_id].members[auth.uid].exists() }