firestore.rules

rules_version = '2';

service cloud.firestore {
  match /databases/{database}/documents {
    // Helper functions
    function isAuthenticated() {
      return request.auth != null;
    }
    
    function isOwner(userId) {
      return isAuthenticated() && request.auth.uid == userId;
    }
    
    function isAdmin() {
      return isAuthenticated() && 
        exists(/databases/$(database)/documents/users/$(request.auth.uid)) &&
        get(/databases/$(database)/documents/users/$(request.auth.uid)).data.role == 'admin';
    }
    
    function isValidUser() {
      return request.resource.data.keys().hasAll([
        'email', 'displayName', 'role', 'createdAt', 'updatedAt'
      ]);
    }
    
    // Users collection
    match /users/{userId} {
      allow read: if isAuthenticated();
      allow create: if isAuthenticated() && isValidUser();
      allow update: if isOwner(userId) || isAdmin();
      allow delete: if isAdmin();
      
      // User's private data subcollection
      match /private/{document=**} {
        allow read, write: if isOwner(userId);
      }
    }
    
    // Agencies collection
    match /agencies/{agencyId} {
      allow read: if isAuthenticated();
      allow create: if isAuthenticated() && 
        request.resource.data.createdBy == request.auth.uid;
      allow update: if isAuthenticated() && (
        resource.data.createdBy == request.auth.uid || isAdmin()
      );
      allow delete: if isAdmin();
      
      // Agency's policies subcollection
      match /policies/{policyId} {
        allow read: if isAuthenticated();
        allow write: if isAuthenticated() && (
          resource.data.createdBy == request.auth.uid || isAdmin()
        );
      }
      
      // Agency's scenarios subcollection
      match /scenarios/{scenarioId} {
        allow read: if isAuthenticated();
        allow write: if isAuthenticated() && (
          resource.data.createdBy == request.auth.uid || isAdmin()
        );
      }
    }
    
    // Analytics collection
    match /analytics/{document=**} {
      allow read: if isAuthenticated();
      allow write: if isAdmin();
    }
    
    // Public data collection
    match /public/{document=**} {
      allow read: if true;
      allow write: if isAdmin();
    }
  }
}