firestore.rules

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    
    //*************************//
    //******** Functions ********//
    //*************************//

		function filterCreateOrder(orderData) {
      return
      	validateOrderSchema(orderData) &&
        orderData.status == 'pending';
    }

    function filterUpdateOrder(orderData) {
    let affectedKeys = orderData.diff(resource.data).affectedKeys();
      return
        affectedKeys.hasOnly(["paymentId", "user"]) &&
        !(affectedKeys.hasAny(["user"]) && !validateUserSchema(orderData.user)) &&
        !(affectedKeys.hasAny(["paymentId"]) && !validatePaymentId(orderData.paymentId, resource.id));
    }
    
    function filterCreatePayment(paymentData) {
      return
      	validatePaymentSchema(paymentData) &&
        paymentData.status == 'waiting' &&
        !paymentData.keys().hasAny(["preference_id"]) &&
        get(/databases/$(database)/documents/orders/$(paymentData.orderId)).data.status in ['pending', 'processing'];
        
    }
    
    // Order Schema
    function validateOrderSchema(orderData) {
    	return
      	orderData.keys().hasOnly(['user', 'status', 'createdAt']) &&
        validateUserSchema(orderData.user) &&
        orderData.createdAt == request.time &&
        orderData.status in ['pending', 'processing', 'completed', 'cancelled'];
    }
    
    // User Schema
    function validateUserSchema(userData) {
    	return
      	userData.keys().hasOnly(['fullname', 'email']) &&
      	userData.fullname is string &&
        userData.fullname.size() > 3 &&
      	isValidEmail(userData.email);
    }
    
    // Payment Schema
    function validatePaymentSchema(paymentData) {
    	let limitedKeys = ['method', 'amount', 'preference_id', 'address', 'secret', 'status', 'createdAt', 'orderId'];
    	return
      	paymentData.keys().hasOnly(limitedKeys) &&
        paymentData.amount > 0 &&
      	paymentData.method in ['crypto', 'mercadopago', 'invitation', 'bank'] &&
        paymentData.status in ['waiting', 'executing', 'paid', 'cancelled'] &&
        paymentData.createdAt == request.time &&
        exists(/databases/$(database)/documents/orders/$(paymentData.orderId));
    }

    function validatePaymentId(paymentId, orderId) {
      return get(/databases/$(database)/documents/payments/$(paymentId)).data.orderId == orderId;
    }
    
    // Only Admin User
    function isAdmin() {
    	return request.auth.token.adminAccount == true;
    }
    
    // Validate email
    function isValidEmail(email) {
    	return email.matches('^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,5}$');
    }
    
    //*************************//
    //******** Matches ********//
    //*************************//
		
    // Admin full read access
    allow read: if isAdmin();
    
    // Orders
    match /orders/{orderId} {
      allow read: if isAdmin();
    	allow get: if true;
      allow create: if filterCreateOrder(request.resource.data);
      allow update: if filterUpdateOrder(request.resource.data);
      // allow write: if isAdmin() && validateOrderSchema(request.resource.data);
    }

    // Payments
    match /payments/{paymentId} {
      allow get: if true;
      allow write: if isAdmin();
      allow create: if filterCreatePayment(request.resource.data);
    }

    // Purchases
    match /purchases/{purchaseId} {
      allow get: if true;
      allow write: if isAdmin();
    }
  }
}