firestore.rules

rules_version='2'

service cloud.firestore {
  match /databases/{database}/documents {
    // Helper function to check if user is an admin
    function isAdmin() {
      return request.auth != null && request.auth.token.admin == true;
    }

    // A user can read a document in the import collection only if the document ID
    // (the email) matches their own authenticated email.
    match /migrated_users_import/{email} {
      allow read: if request.auth != null && request.auth.token.email == email;
    }

    // Lock down the members collection - require email verification for all operations
    // Admins have full read/write access to all member documents
    match /members/{uid} {
      allow read: if (request.auth != null && request.auth.uid == uid) || isAdmin();
      allow write: if (request.auth != null &&
                       request.auth.uid == uid &&
                       request.auth.token.email_verified == true) || isAdmin();
    }

    match /{document=**} {
      // This rule allows anyone with your database reference to view, edit,
      // and delete all data in your database. It is useful for getting
      // started, but it is configured to expire after 30 days because it
      // leaves your app open to attackers. At that time, all client
      // requests to your database will be denied.
      //
      // Make sure to write security rules for your app before that time, or
      // else all client requests to your database will be denied until you
      // update your rules.
      allow read, write: if request.time < timestamp.date(2025, 7, 18);
    }
  }
}