rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    function signedIn() { return request.auth != null; }
    function userDoc() { return get(/databases/$(database)/documents/users/$(request.auth.uid)); }
    function role() { return signedIn() && userDoc().exists ? userDoc().data.role : null; }
    function isAdmin() { return role() in ['Admin','Developer']; }
    function isDev() { return role() == 'Developer'; }

    match /users/{uid} {
      allow read: if signedIn() && request.auth.uid == uid;
      allow create: if signedIn();
      allow update: if signedIn() && (request.auth.uid == uid || isAdmin());
      allow delete: if isDev();
    }

    match /inventory/{doc} {
      allow read: if signedIn();
      allow create, update: if isAdmin();
      allow delete: if isDev();
    }

    match /loans/{doc} {
      allow read, create, update: if signedIn();
      allow delete: if isAdmin();
    }

    match /invites/{code} {
      allow read: if isAdmin();
      allow create, delete: if isAdmin();
    }

    match /logs/{doc} {
      allow read, create: if signedIn();
      allow update, delete: if isDev();
    }
  }
}