You could make this considerably simpler by simply using a node.js script to assign the cards randomly to players.
However, you could accomplish this fairly well with security rules using the following process:
- Generate a couple hundred/thousand "random_decks" manually by writing a quick JavaScript to randomly order the cards in each deck (use the push() command in Firebase); simultaneously generate the card_names/ values so the random ids in each deck map to a specific (unknown) card
- Have the "dealer" pick the next available deck (and move it to a new path where used decks are stored)
- When players want to draw cards, they remove it from the game_deck to their "hand"; they won't know which card it is until it is placed in their hand
- Players cannot delete cards from their hand once they are claimed so there would be no way to trade up
- Only allow the face values of the cards to be read after they have been drawn, so only the owner can read which cards he has until the "reveal"
- Once the cards are revealed, perhaps all players can read anything in their "deck" to see which cards belong to whom (assuming a reveal is appropriate in the game)
The data structure would look something like this:
/random_decks/$game_id/$random_generated_id
/game/$game_id/deck (move deck here when it is claimed)
/my_hand/$user_id/$game_id/$random_generated_id (once card is here, I can read card_names)
/card_names/$game_id/$random_generated_id (real card name goes here)
The security rules would be things similar to these:
// game_deck/$game_id
// can only be copied from random_decks
".write": "root.child('random_decks/'+$game_id).exists()"
// game_deck/$game_id/deck/$random_generated_id
// must exist in random_decks/$game_id to create it here
".write": "root.child('random_decks/'+$game_id+'/$random_generated_id).exists()"
// random_decks/$game_id
// can only delete pre-generated decks (should be done after copying to a game)
".write": "!newData.exists()"
// card_names/$game_id/$random_generated_id
// can only read it if I own the card
".read": "root.child('my_hand/'+auth.uid+'/'+$game_id+'/'+$random_generated_id).exists()"
// or maybe if the game has reached the "reveal" phase
".read": "root.child('game_deck/'+$game_id+'/revealed').val() === true"
Hopefully that will get you started.