I have been trying over and over to restructure my rules in order to get access to the documents with no luck.

I have a collection of “networks” with a sub collection of “members.” In the network documents there are two fields, loginRequired, and membershipRequired, these determine what level of authentication is needed to access the network document and its sub collections.

I’ve attached my rules below and I’ve confirmed that the membershipRequired / loginRequired fields are both at the top level of the network document.

I’m getting permission denied at all levels. What could I be doing wrong?

match /networks/{networkID} {
      allow read: if (isAdmin()
       || !(planRequiresAuth())
       || (isLoggedIn()
            && (resource.data.membershipRequired
               ? (isPlanMember(database, networkID)
                   || isProviderPlanMember(database, networkID))
               : true)
               )
           )

      match /{document=**} {
        allow read: if (isAdmin()
          || !(get(/databases/$(database)/documents/networks/$(networkID))
               .data.loginRequired)
          || (isLoggedIn()
          && (get(/databases/$(database)/documents/networks/$(networkID))
               .data.membershipRequired
              ? (isPlanMember(database, networkID)
                || isProviderPlanMember(database, networkID))
              : true)
             )
            )
      }
}

// Utility Functions

    function isAdmin() {
      return hasRole('ADMIN')
    }
    function planRequiresAuth() {
      return (resource.data.loginRequired || resource.data.membershipRequired)
    }
    function isLoggedIn() {
      return request.auth != null
    }
    function isPlanMember(database, networkID) {
      // Check if the document ID is in the users memberships
      let userId = request.auth.uid;
      return exists(/databases/$(database)/documents/networks/$(networkID)/members/$(userId))
    }
    function isProviderPlanMember(database, networkID) {
      // Check if the document ID is in the users memberships
      let orgId = request.auth.token.meta.organizationId;
      return ((resource.data.membershipRequired == true) ? (exists(/databases/$(database)/documents/networks/$(networkID)/members/$(orgId))) : true)
    }
    function hasRole(role) {
      return role in request.auth.token.roles
    }

I’ve tried setting it to allow all reads and it works fine.
I’ve tried allowing all sub collections to read and it works as well but I have a feeling this is in not what I’m looking for as the sub collections need to be gated as well.