firestore.rules

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {

    function isAdmin() {
      return get(/databases/$(database)/documents/users/$(request.auth.uid)).data.role == 'administrator'
    }

     function isCurrentUser(user) {
      return request.auth.uid == user;
    }

    function noUpdateToAmin() {
      return request.resource.data.role != 'administrator';
    }

    function canAccessChats() {
    	let isOwner = request.auth.uid in resource.data.members;
    	return isSignedIn() && isOwner;
    }
    
    function isSignedIn() {
    	return request.auth != null;
    }

  	match /users/{docId} {
       allow read: if isSignedIn();
       allow write, update: 
        if isAdmin() || isCurrentUser(docId);
       allow delete: 
        if isAdmin();
    }

     match /chats {
			allow write: if isSignedIn();
      allow read, update, delete: if canAccessChats();
    }
    
    match /chats/{docId} {
			allow write: if isSignedIn();
      allow read, update, delete: if canAccessChats();
    }
  }
}