firestore.rules

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    function isAdmin(userId) {
      return get(/databases/$(database)/documents/users/$(userId)).data.isAdmin == true
    }
    match /users/{uid} {
      // Can read own data, admin can read all
      allow read:
        if request.auth.uid == uid
          || isAdmin(request.auth.uid)
      // Can set own user data, except the admin flag
      allow write:
        if request.auth.uid == uid
          && (!('isAdmin' in request.resource.data)
            || request.resource.data.isAdmin == resource.data.isAdmin)
    }
    match /comments/{comment} {
      function isAuthor(userId) {
        return userId == get(/databases/$(database)/documents/comments/$(comment)).data.userId;
      }
      function isAuthorOrAdmin(userId) {
        return isAuthor(userId) || isAdmin(userId)
      }
      allow read
      allow create: if request.auth.uid != null
      allow update: if isAuthorOrAdmin(request.auth.uid)
      allow delete: if isAuthorOrAdmin(request.auth.uid)
   }
    match /{document=**} {
      allow read, write: if false
    }
    match /locations/{document=**} {
      allow read
    }
    match /videos/{document=**} {
      allow read
      allow write: if isAdmin(request.auth.uid)
    }
  }
}