rules_version = '2';

service cloud.firestore {
  match /databases/{database}/documents {

    // Students collection (read-only, managed via admin/console)
    match /students/{studentId} {
      allow read: if true;
      allow write: if false;
    }

    // Donors collection
    match /donors/{donorId} {
      // Anyone can read donors
      allow read: if true;
      // Only authenticated users can create donors
      allow create: if request.auth != null;
      // No one can update or delete donors (admin-only via console)
      allow update, delete: if false;
    }

    // Comments collection
    match /comments/{commentId} {
      // Anyone can read comments
      allow read: if true;
      // Only authenticated users can create comments
      allow create: if request.auth != null
        && request.resource.data.userId == request.auth.uid
        && request.resource.data.text is string
        && request.resource.data.text.size() > 0
        && request.resource.data.text.size() <= 500;
      // Users can only delete their own comments
      allow delete: if request.auth != null
        && resource.data.userId == request.auth.uid;
      // No updates to comments
      allow update: if false;
    }

    // Newsletter subscribers
    match /subscribers/{subscriberId} {
      allow create: if true;
      allow read, update, delete: if false;
    }
  }
}