rules_version = '2';

service cloud.firestore {
  match /databases/{database}/documents {
    function isAuthenticated() {
      return request.auth != null;
    }

    function isAdmin() {
      return isAuthenticated() && request.auth.token.admin == true;
    }

    function isSignedInWithProvider(provider) {
      return isAuthenticated() && request.auth.token.firebase.sign_in_provider == provider;
    }

    function isOwner(resourceData, field) {
      return isAuthenticated() &&
        ((resourceData[field] != null && resourceData[field] == request.auth.uid) || isAdmin());
    }

    function isOwnerOfRequest(resourceData) {
      return isAuthenticated() && (
        (resourceData.uid != null && resourceData.uid == request.auth.uid) ||
        (resourceData.requestorUid != null && resourceData.requestorUid == request.auth.uid) ||
        (resourceData.requesteeUid != null && resourceData.requesteeUid == request.auth.uid) ||
        isAdmin()
      );
    }

    match /{document=**} {
      allow read, write: if isAuthenticated() && 
        (isAdmin() || isSignedInWithProvider('custom'));
    }

    match /users/{userId} {
      allow create: if isAuthenticated() && (userId == request.auth.uid || isAdmin());
      allow read, update, delete: if isOwner(resource.data, 'uid') || (request.auth.uid == userId) || isAdmin();
    }

    match /wallets/{walletId} {
      allow create: if isOwner(request.resource.data, 'uid');
      allow read, update, delete: if isOwner(resource.data, 'uid');
    }

    match /transactions/{transactionId} {
      allow create: if isOwner(request.resource.data, 'uid');
      allow read, update, delete: if isOwner(resource.data, 'uid');
    }

    match /recipients/{recipientId} {
      allow create: if isOwner(request.resource.data, 'uid');
      allow read, update, delete: if isOwner(resource.data, 'uid');
    }

    match /campaigns/{campaignId} {
      allow create: if isOwner(request.resource.data, 'creatorId');
      allow read, update, delete: if isOwner(resource.data, 'creatorId');
    }

    match /donations/{donationId} {
      allow create: if isOwner(request.resource.data, 'donorId');
      allow read, update, delete: if isOwner(resource.data, 'donorId');
    }

    match /notifications/{notificationId} {
      allow create: if isOwner(request.resource.data, 'userId');
      allow read, update, delete: if isOwner(resource.data, 'userId');
    }

    match /requests/{requestId} {
      allow create: if isOwnerOfRequest(request.resource.data);
      allow read, update, delete: if isOwnerOfRequest(resource.data);
    }

    match /admin/{document=**} {
      allow read, write: if isAdmin();
    }

    match /{document=**} {
      allow read, write: if false;
    }
  }
}