rules_version = '2';

// Firebase Storage Security Rules for Go-Wheels Car Rental App
service firebase.storage {
  match /b/{bucket}/o {
    // Helper function to check if user is admin
    function isAdmin() {
      return request.auth != null &&
        (getUserRole() == 'admin' ||
         request.auth.token.email.contains('admin') ||
         request.auth.token.email.contains('owner'));
    }

    // Helper function to get user role from Firestore
    function getUserRole() {
      return request.auth != null ?
        firestore.get(/databases/(default)/documents/users/$(request.auth.uid)).data.role : 'user';
    }

    // Allow anyone to read/download images (for public car browsing)
    match /cars/{carId}/{allPaths=**} {
      allow read: if true;
      allow write: if request.auth != null &&
        (isAdmin() || request.auth.uid == resource.metadata.userId);
    }

    // Allow authenticated users to upload car images
    match /cars/{allPaths=**} {
      allow read: if true;
      allow write: if request.auth != null &&
        (isAdmin() || request.auth.uid != null) &&
        request.resource.size < 5 * 1024 * 1024 && // 5MB limit
        request.resource.contentType.matches('image/.*'); // Only images
    }

    // Default deny for security
    match /{allPaths=**} {
      allow read, write: if false;
    }
  }
}