Update rules to allow users to see data collected by others (#2211)

Co-authored-by: Gino Miceli <[email protected]>

Author: rfontanarosa

firestore/firestore.rules

@@ -30,12 +30,19 @@
      * data to the specified survey.
      */
     function isUnlistedOrPublic(survey) {
-    	return survey["8"] in [
+      return survey["8"] in [
         2 /* UNLISTED */,
         3 /* PUBLIC */
       ];
     }
 
+    /**
+     * Returns true iff data collectors can see each others' data.
+     */
+    function canViewDataCollectedByOthers(survey) {
+      return survey["9"] == 2 /* ALL_SURVEY_PARTICIPANTS */
+    }
+
     /**
      * Returns the current user's role in the given survey.
      */
@@ -67,14 +74,30 @@
     }
 
     /**
-     * Returns true iff the user with the given email can read the specified
+     * Returns true iff the user with the user's email can read the specified
      * survey.
      */
     function canViewSurvey(survey) {
       return canAccess() &&
         (isUnlistedOrPublic(survey) || getRole(survey) != null);
     }
 
+    /**
+    * Returns true iff user can see each other's lois in the specified
+    * survey.
+    */
+    function canViewLoi(survey, loi) {
+      return canViewSurvey(survey) && (isLoiOwner(loi) || canViewDataCollectedByOthers(survey));
+    }
+
+    /**
+    * Returns true iff user can see each other's submissions in the specified
+    * survey.
+    */
+    function canViewSubmission(survey, submission) {
+      return canViewSurvey(survey) && (isSubmissionOwner(submission) || canViewDataCollectedByOthers(survey));
+    }
+
     /**
      * Returns true if the current user has one of the specified roles in the
      * given survey.
@@ -95,7 +118,7 @@
     }
 
     /**
-     * Returns true iff the current user with the given email can contribute LOIs 
+     * Returns true iff the current user with the given email can contribute LOIs
      * and submissions to the specified survey.
      */
     function canCollectData(survey) {
@@ -149,20 +172,20 @@
       allow read: if request.auth != null;
     }
 
-    // Apply passlist and survey-level ACLs to LOI documents.
+    // Apply passlist and survey-level General Access and/or ACLs to LOI documents.
     match /surveys/{surveyId}/lois/{loiId} {
-      // Allow if user has has read access to the survey.
-      allow read: if canViewSurvey(getSurvey(surveyId));
+      // Allow if user has read access to the survey and the LOI.
+      allow read: if canViewLoi(getSurvey(surveyId), request.resource);
       // Allow if user is owner of the new LOI and can collect data.
       allow create: if isLoiOwner(request.resource) && canCollectData(getSurvey(surveyId));
       // Allow if user is owner of the existing LOI or can manage survey.
       allow write: if isLoiOwner(resource) || canManageSurvey(getSurvey(surveyId));
     }
 
-    // Apply passlist and survey-level ACLs to submission documents.
+    // Apply passlist and survey-level General Access and/or ACLs to submission documents.
     match /surveys/{surveyId}/submissions/{submissionId} {
-      // Allow if user has has read access to the survey.
-      allow read: if canViewSurvey(getSurvey(surveyId));
+      // Allow if user has read access to the survey and the submission.
+      allow read: if canViewSubmission(getSurvey(surveyId), request.resource);
       // Allow if user is owner of the new submission and can collect data.
       allow create: if isSubmissionOwner(request.resource) && canCollectData(getSurvey(surveyId));
       // Allow if user is owner of the existing submission or can manage survey.
@@ -171,7 +194,7 @@
 
     // Apply passlist and survey-level ACLs to job documents.
     match /surveys/{surveyId}/jobs/{jobId} {
-      // Allow if user has has read access to the survey.
+      // Allow if user has read access to the survey.
       allow read: if canViewSurvey(getSurvey(surveyId));
       // Allow if user can manage survey.
       allow create, write: if canManageSurvey(getSurvey(surveyId));