firestore.rules

service cloud.firestore {
  match /databases/{database}/documents {
    function getSector(sectorId) {
      return get(/databases/$(database)/documents/entities/sector/entity/$(sectorId));
    }

    match /entities/{entityType}/entity/{entityId} {
      allow create: if false;
      allow update, delete: if resource.data.creator == request.auth.uid &&
        entityType in ["asteroidBase", "asteroidBelt", "blackHole", "deepSpaceStation",
          "gasGiantMine", "moon", "moonBase", "note", "orbitalRuin", "planet", 
          "refuelingStation", "researchBase", "sector", "spaceStation", "system"];
      allow read;
    }
    match /users/{uid} {
      allow read, write: if request.auth != null && uid == request.auth.uid;
    }
    match /navigation/{sectorId}/routes/{routeId} {
      allow write: if request.auth != null
        && getSector(sectorId).data.creator == request.auth.uid;
      allow read;
    }
    match /layers/{sectorId}/layer/{layerId=**} {
      allow create: if request.auth != null
        && getSector(sectorId).data.creator == request.auth.uid
        && ('regions' in request.resource.data || request.resource.data.name.size() <= 40);
      allow update, delete: if request.auth != null
        && getSector(sectorId).data.creator == request.auth.uid;
      allow read;
    }
    match /factions/{sectorId}/faction/{factionId=**} {
      allow create: if request.auth != null
        && getSector(sectorId).data.creator == request.auth.uid
        && request.resource.data.name.size() <= 40;
      allow update, delete: if request.auth != null
        && getSector(sectorId).data.creator == request.auth.uid;
      allow read;
    }
    match /tags/{tagId} {
      allow create: if request.auth != null
        && request.resource.data.creator == request.auth.uid;
      allow update, delete: if request.auth != null
        && resource.data.creator == request.auth.uid;
      allow read;
    }
    match /{document=**} {
      allow read, write: if false;
    }
  }
}