Basically you have two options to implement complex authorizations while staying within Firebase serverless realm:
1) Use callable/HTTPS Cloud Functions to write data to your database and do all checks there + forbid any client writes using Security Rules
2) Optimistically allow client writes with minimal checks using Security Rules + validate and correct data using background triggered Cloud Functions.
Basically you have two options to implement complex authorizations while staying within Firebase serverless realm:
1) Use callable/HTTPS Cloud Functions to write data to your database and do all checks there + forbid any client writes using Security Rules
2) Optimistically allow client writes with minimal checks using Security Rules + validate and correct data using background triggered Cloud Functions.
There is a good post about these patterns: Patterns for security with Firebase: combine rules with Cloud Functions for more flexibility