firestore.rules

rules_version = '2';

service cloud.firestore {
  match /databases/{database}/documents {
    match /comments/{commentId} {
      allow read;

      allow create:
        if request.resource.data.keys().hasOnly(['comment', 'createdAt', 'postId', 'userId', 'username'])
        && request.resource.data.comment.size() <= 500
        && request.resource.data.createdAt == request.time
        && exists(/databases/$(database)/documents/posts/$(request.resource.data.postId))
        && request.auth.uid == request.resource.data.userId
        && request.resource.data.username == get(/databases/$(database)/documents/users_2/$(request.auth.uid)).data.username;

      allow delete: if request.auth.uid == resource.data.userId;
    }

    match /feeds/{userId} {
      allow get;
    }

    match /likes/{likeId} {
      allow read;

      allow create:
        if request.resource.id == request.auth.uid + '_' + request.resource.data.postId
        && request.resource.data.keys().hasOnly(['postId', 'userId'])
        && exists(/databases/$(database)/documents/posts/$(request.resource.data.postId))
        && exists(/databases/$(database)/documents/users_2/$(request.resource.data.userId));

      allow delete: if request.auth.uid == resource.data.userId;
    }

    match /notifications/{notificationId} {
      allow read: if request.auth.uid == resource.data.userId;

      allow update:
        if request.auth.uid == resource.data.userId
        && request.resource.data.diff(resource.data).affectedKeys().hasOnly(['read'])
        && request.resource.data.read == true;
    }

    match /posts/{postId} {
      allow read:
        if resource.data.published == true
        || request.auth.uid == resource.data.userId;

      allow update:
        if request.resource.data.diff(resource.data).affectedKeys().hasOnly(['likes', 'updatedAt'])
        && (
          !('likes' in resource.data)
          || request.resource.data.likes.diff(resource.data.likes).affectedKeys().hasOnly([request.auth.uid])
        )
        && (request.resource.data.likes[request.auth.uid] == true || !(request.auth.uid in request.resource.data.likes))
        && request.resource.data.updatedAt == request.time;

      allow delete:
        if request.auth.uid == resource.data.userId;
    }

    match /users_2/{userId} {
      allow get;

      allow list: if request.query.limit == 1;
    }
  }
}