firestore.rules

rules_version = '2';

service cloud.firestore {
  match /databases/{database}/documents {
    
    // Helper function to check if user is authenticated
    function isAuthenticated() {
      return request.auth != null;
    }
    
    // Helper function to check if user owns the document
    function isOwner(userId) {
      return isAuthenticated() && request.auth.uid == userId;
    }
    
    // Users collection - users can only read/write their own data
    match /users/{userId} {
      allow read: if isOwner(userId);
      allow create: if isAuthenticated() && request.auth.uid == userId;
      allow update: if isOwner(userId);
      allow delete: if isOwner(userId);
      
      // Nutrition history subcollection
      match /nutrition_history/{entryId} {
        allow read: if isOwner(userId);
        allow write: if isOwner(userId);
      }
      
      // Favorites subcollection
      match /favorites/{foodId} {
        allow read: if isOwner(userId);
        allow write: if isOwner(userId);
      }
      
      // Meal logs subcollection
      match /meal_logs/{logId} {
        allow read: if isOwner(userId);
        allow write: if isOwner(userId);
      }

      // Nutrition AI chat/conversation subcollection
      match /conversations/{entryId} {
        allow read: if isOwner(userId);
        allow write: if isOwner(userId);
      }
    }
    
    // Myths collection - public read, authenticated write
    match /myths/{mythId} {
      allow read: if true;
      allow create: if isAuthenticated();
      allow update: if isAuthenticated();
      allow delete: if isAuthenticated() && (
        request.auth.uid == resource.data.askedBy ||
        get(/databases/$(database)/documents/users/$(request.auth.uid)).data.role == 'admin'
      );
    }
    
    // Admin-only collections
    match /admin/{document=**} {
      allow read, write: if isAuthenticated() && 
        get(/databases/$(database)/documents/users/$(request.auth.uid)).data.role == 'admin';
    }
  }
}