firestore.rules

service cloud.firestore {
  match /databases/{database}/documents {
    match /companies/{companyId} {
      allow read: if isSignedIn() && userBelongsToCompany();
      allow update, delete: if companyAdmin()
    }

    match /teams/{teamId} {
      allow read: if isSignedIn() && adminOrEmployee();
      allow create: if userAndAdmin();
      allow update, delete: if companyAdmin()
    }

    match /employees/{employeeId} {
      allow read: if isSignedIn() && userBelongsToCompany();
      allow create: if userAndAdmin();
      allow update, delete: if companyAdmin()
    }
  }

  function isSignedIn() {
    return (request.auth.uid != null)
  }

  function userIsAdmin() {
    return request.auth.token.role == 'admin'
  }

  function userBelongsToCompany() {
    return request.auth.token.companyId == resource.data.companyId
  }

  function userAndAdmin() {
    return isSignedIn() && userIsAdmin()
  }

  function companyAdmin() {
    return userAndAdmin() && userBelongsToCompany()
  }

  function adminOrEmployee() {
    return userBelongsToCompany() && (userIsAdmin() || resource.data.id == request.auth.uid)
  }

  function adminOrOwner() {
    return userBelongsToCompany() && (userIsAdmin() || resource.data.employeeId == request.auth.uid)
  }

  function notCreator() {
    return resource.data.status != 'creator'
  }
}