firestore.rules

rules_version = '2';

service cloud.firestore {
  match /databases/{database}/documents {
    // Helper function to check if user is authenticated
    function isAuthenticated() {
      return request.auth != null;
    }

    // Helper function to check if user is accessing their own data
    function isUserData(userId) {
      return isAuthenticated() && request.auth.uid == userId;
    }

    // Settings
    match /users/{userId}/settings/{document=**} {
      allow read, write: if isUserData(userId);
    }

    // Food entries
    match /users/{userId}/foodEntries/{date}/{document=**} {
      allow read, write: if isUserData(userId);
    }

    // Daily progress
    match /users/{userId}/progress/{document=**} {
      allow read, write: if isUserData(userId);
    }

    // Workout plans and sessions
    match /users/{userId}/workoutPlans/{planId} {
      allow read, write: if isUserData(userId);
      
      // Allow access to nested sessions collection
      match /sessions/{sessionId} {
        allow read, write: if isUserData(userId);
      }
    }

    // Completed workout sessions
    match /users/{userId}/completedSessions/{sessionId} {
      allow read, write: if isUserData(userId);
    }

    // Foods collection (shared database)
    match /foods/{foodId} {
      // Anyone can read food entries
      allow read: if isAuthenticated();
      // Only authenticated users can create entries
      allow create: if isAuthenticated() && 
                   request.resource.data.createdBy == request.auth.uid;
      // Only the creator can update or delete their entries
      allow update, delete: if isAuthenticated() && 
                          resource.data.createdBy == request.auth.uid;
    }

    // Disallow access to all other collections by default
    match /{document=**} {
      allow read, write: if false;
    }
  }
}