firebase.rules

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {
    // Helper functions
    function isAuthenticated() {
      return request.auth != null;
    }
    
    function isAdmin() {
      return isAuthenticated() && 
        get(/databases/$(database)/documents/users/$(request.auth.uid)).data.role == 'admin';
    }
    
    function isOwner(userId) {
      return isAuthenticated() && request.auth.uid == userId;
    }
    
    function hasActivePremium(userId) {
      return get(/databases/$(database)/documents/users/$(userId)).data.subscription.tier == 'premium' &&
        get(/databases/$(database)/documents/users/$(userId)).data.subscription.validUntil > request.time;
    }

    // Users collection
    match /users/{userId} {
      allow read: if isAuthenticated() && (isOwner(userId) || isAdmin());
      allow create: if isAuthenticated() && isOwner(userId);
      allow update: if isAuthenticated() && (isOwner(userId) || isAdmin());
      allow delete: if isAdmin();
    }

    // Tutorials collection
    match /tutorials/{tutorialId} {
      allow read: if 
        !resource.data.isPremium || 
        (isAuthenticated() && hasActivePremium(request.auth.uid));
      allow write: if isAdmin();
    }

    // Progress collection
    match /progress/{progressId} {
      allow read: if isAuthenticated() && (
        resource.data.userId == request.auth.uid || isAdmin()
      );
      allow create, update: if isAuthenticated() && (
        request.resource.data.userId == request.auth.uid
      );
      allow delete: if isAdmin();
    }

    // Subscriptions collection
    match /subscriptions/{subscriptionId} {
      allow read: if isAuthenticated() && (
        resource.data.userId == request.auth.uid || isAdmin()
      );
      allow write: if isAdmin();
    }

    // Checkout Sessions collection
    match /checkoutSessions/{sessionId} {
      allow read: if isAuthenticated() && (
        resource.data.userId == request.auth.uid || isAdmin()
      );
      allow write: if isAdmin();
    }
  }
}