rules_version = '2';

service cloud.firestore {
  match /databases/{database}/documents {

    // Check if user has role 5 or higher
    function isElevatedRole() {
      return request.auth.token.role >= 5;
    }

    // Match individual user documents by UID
    match /users/{docId} {
      // Either the authenticated user's UID matches the document UID OR they have an elevated role
      allow read, write: if request.auth.uid == docId || isElevatedRole();
    }
  // ✅ Allow anyone to read/write from wadizBoards

    match /wadizes/{docId} {

      allow read, write: if true;

    }
    // Match individual progress documents by UID
    match /progresses/{userId} {
      // Either the authenticated user's UID matches the document UID OR they have an elevated role
      allow read, write: if request.auth.uid == userId || isElevatedRole();
    }

    
    // Allow reading of all other documents
    match /{document=**} {
      allow read;
      allow write: if request.auth.uid != null || isElevatedRole();
    }
  }
}