firestore.rules

service cloud.firestore {
  match /databases/{database}/documents {
    function isAuthed() {
      return request.auth.uid != null
    }
    function isOwner(res) {
      return res.data.createdBy == request.auth.uid
    }

    // Private user profiles
    match /users/{userId} {
      allow read;
      allow write: if request.auth.uid == userId;
    }

    // Public user profiles
    match /users_public/{userId} {
      allow read;
      allow write: if false; // only written to by indexUser cloud function
    }

    // Projects
    match /projects/{projectId} {
      // Only projects you own can be viewed
      allow read, write: if isOwner(request.resource);
      // Rules apply to all child collections
      match /{allChildren=**} {
        allow read, write: if isOwner(get(/databases/$(database)/documents/projects/$(projectId)));
      }
    }
  }
}