firestore.rules

/**
 * @fileoverview Firestore Security Rules for NexHireAI platform.
 *
 * Core Philosophy:
 * This ruleset enforces a strict user-ownership model for most data. Each user has complete control over their own data tree.
 * Recruiters and Admins have read/write access to platform-level data like roles, assessments, and the question bank.
 *
 * Data Structure:
 * - Candidate data is nested under /users/{userId}, ensuring ownership.
 * - Platform data (/roles, /assessments, /questionBank) is managed by admins.
 */
rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {

    // Helper functions to check user roles and ownership.
    function isOwner(userId) {
      return request.auth.uid == userId;
    }

    function isRecruiterOrAdmin() {
      // Check for a custom claim `role` on the user's auth token.
      // This is more secure than checking a field in their user document.
      return request.auth.token.role == 'recruiter' || request.auth.token.role == 'admin';
    }

    function isSignedIn() {
      return request.auth != null;
    }

    /**
     * @description Secure user profiles. Users can manage their own profile. Recruiters/Admins can view all profiles.
     */
    match /users/{userId} {
      allow get: if isOwner(userId) || isRecruiterOrAdmin();
      allow list: if isRecruiterOrAdmin(); 
      allow create: if isOwner(userId);
      allow update: if isOwner(userId);
      // Deletion is a sensitive operation, restrict it to the user for now.
      allow delete: if isOwner(userId);
    }

    /**
     * @description Secure user-specific assessment attempts. Only the user or an admin can see their results.
     */
    match /users/{userId}/assessments/{assessmentId} {
      allow read: if isOwner(userId) || isRecruiterOrAdmin();
      allow write: if isOwner(userId); // Only the user can create their own attempts.
      allow list: if isOwner(userId) || isRecruiterOrAdmin();
    }
    
    /**
     * @description Secure user notifications. Only the user can read/write their own.
     */
    match /users/{userId}/notifications/{notificationId} {
      allow read, write: if isOwner(userId);
    }
    
    /**
     * @description Rule to allow admins to query the 'assessments' collection group.
     * This is required for the admin dashboard to fetch recent activity across all users.
     */
    match /{path=**}/assessments/{assessmentId} {
      allow get, list: if isRecruiterOrAdmin();
    }

    /**
     * @description Public roles, readable by all authenticated users, writable only by admins/recruiters.
     * This is necessary so candidates can see the list of available assessments.
     */
    match /roles/{roleId} {
      allow get, list: if isSignedIn();
      allow write: if isRecruiterOrAdmin();
    }
    
    /**
     * @description Legacy questions collection, kept for compatibility but secured.
     * It's better to migrate to the central questionBank.
     */
    match /roles/{roleId}/questions/{questionId} {
       allow get, list: if isSignedIn();
       allow write: if isRecruiterOrAdmin();
    }

    /**
     * @description Centralized question bank, only manageable by admins/recruiters.
     * Candidates should not be able to read all questions directly.
     */
    match /questionBank/{questionId} {
        allow read, write: if isRecruiterOrAdmin();
    }

    /**
     * @description Assessment templates, only manageable by admins/recruiters.
     */
    match /assessments/{assessmentId} {
        allow read, write: if isRecruiterOrAdmin();
    }

    /**
     * @description Cohorts can be managed by recruiters/admins.
     */
    match /cohorts/{cohortId} {
        allow read, write: if isRecruiterOrAdmin();
    }

    /**
     * @description A secure fallback. Disallow any other reads/writes by default.
     * This ensures any new collections are secure until rules are explicitly defined.
     */
    match /{document=**} {
      allow read, write: if false;
    }
  }
}