From 3de8246451e3078b948f51d1ba1928dc5c2929f6 Mon Sep 17 00:00:00 2001
From: Roberto Fontanarosa <robertofontanarosa@gmail.com>
Date: Mon, 9 Mar 2026 10:25:40 +0100
Subject: [PATCH] Use canCollectData for LOI write permission

---
 firestore/firestore.rules | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/firestore/firestore.rules b/firestore/firestore.rules
index dbb0b98ef..900acc7dc 100644
--- a/firestore/firestore.rules
+++ b/firestore/firestore.rules
@@ -177,8 +177,8 @@
       allow get: if canViewLoi(getSurvey(surveyId), resource.data);
       // Allow all survey users to list LOIs.
       allow list: if canViewSurvey(getSurvey(surveyId));
-      // Allow if user is owner of the existing LOI or can manage survey.
-      allow update, delete: if isLoiOwner(resource.data) || canManageSurvey(getSurvey(surveyId));
+      // Allow if user is owner of the existing LOI and can collect data, or can manage survey.
+      allow update, delete: if (isLoiOwner(resource.data) && canCollectData(getSurvey(surveyId))) || canManageSurvey(getSurvey(surveyId));
     }
 
     // Apply survey-level permissions to submission documents.
@@ -189,8 +189,8 @@
       allow get: if canViewSubmission(getSurvey(surveyId), resource.data);
       // Allow all survey users to list submissions.
       allow list: if canViewSurvey(getSurvey(surveyId));
-      // Allow if user is owner of the existing submission or can manage survey.
-      allow update, delete: if isSubmissionOwner(resource.data) || canManageSurvey(getSurvey(surveyId));
+      // Allow if user is owner of the existing submission and can collect data, or can manage survey.
+      allow update, delete: if (isSubmissionOwner(resource.data) && canCollectData(getSurvey(surveyId))) || canManageSurvey(getSurvey(surveyId));
     }
 
     // Apply survey-level permissions to job documents.