From cd376980664ac24d7a3f34265aeb9c934a035cca Mon Sep 17 00:00:00 2001
From: Matthew Grove <me@mgrove.uk>
Date: Tue, 26 Oct 2021 16:29:38 +0100
Subject: [PATCH] [FIX] set vocab could be deleted when set couldn't

---
 firestore.rules | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/firestore.rules b/firestore.rules
index 4a6986b..957bfe0 100644
--- a/firestore.rules
+++ b/firestore.rules
@@ -17,6 +17,11 @@ service cloud.firestore {
 		function isSetOwner(setId) {
 			return get(/databases/$(database)/documents/sets/$(setId)).data.owner == request.auth.uid;
 		}
+		
+		function isSetOwnerAndHasNoGroups(setId) {
+			let data = get(/databases/$(database)/documents/sets/$(setId)).data;
+			return data.owner == request.auth.uid && (data == null || data.groups == null || data.groups == []);
+		}
 
 		function isSetOwnerOrIsPublic(setId) {
 			let data = get(/databases/$(database)/documents/sets/$(setId)).data;
@@ -190,7 +195,7 @@ service cloud.firestore {
 				allow read: if isSignedIn() && isSetOwnerOrIsPublic(setId);
 				allow create: if isSignedIn() && isSetOwner(setId) && verifyCreateFields(getPossibleCreateFields()) && verifyVocabFieldTypes();
 				allow update: if isSignedIn() && isSetOwner(setId) && verifyUpdateFields(getPossibleUpdateFields()) && verifyVocabFieldTypes();
-				allow delete: if isSignedIn() && isSetOwner(setId);
+				allow delete: if isSignedIn() && isSetOwnerAndHasNoGroups(setId);
 			}
 		}