firestore.rules

rules_version = '2';
service cloud.firestore {
  match /databases/{database}/documents {

    // 辅助函数：判断用户是否有权访问
    function canAccessTopic(topicData) {
      return topicData.access == 'public' ||
             (request.auth != null && request.auth.uid in topicData.visibility);
    }

    function isValidTopicName(topicData) {
      return topicData.name is string
             && topicData.name.size() > 0
             && topicData.name.size() <= 20
             && topicData.name.matches('^[a-zA-Z0-9_]+$');
    }

    function isValidVisibility(topicData, ownerId) {
      return topicData.visibility is list
             && topicData.visibility.size() <= 10
             && ownerId in topicData.visibility;
    }

    match /users/{uid} {
      allow read: if request.auth != null;
      allow write: if request.auth != null && request.auth.uid == uid;
    }

    match /topics/{topicId} {
      // 读取：公共话题登录可见；私有话题名单内可见
      // resource == null when the document doesn't exist (e.g. existence checks before create)
      allow read: if request.auth != null && (resource == null || canAccessTopic(resource.data));

      // 创建：私有话题 ID 绑定 UID
      allow create: if request.auth != null
                    && request.resource.data.owner == request.auth.uid
                    && isValidTopicName(request.resource.data)
                    && isValidVisibility(request.resource.data, request.auth.uid)
                    && (request.resource.data.access != 'private' || topicId == request.auth.uid);

      // 更新：私有话题仅限 Owner 管理名单或改名
      allow update: if request.auth != null
                    && resource.data.access == 'private'
                    && request.auth.uid == resource.data.owner
                    && request.resource.data.diff(resource.data)
                         .affectedKeys().hasOnly(['visibility', 'name'])
                    && isValidTopicName(request.resource.data)
                    && isValidVisibility(request.resource.data, resource.data.owner);

      allow delete: if false;

      match /messages/{messageId} {
        allow read: if request.auth != null && canAccessTopic(get(/databases/$(database)/documents/topics/$(topicId)).data);

        // 发送消息：只要有权限访问 Topic 就能发
        allow create: if request.auth != null
                      && request.resource.data.sender == request.auth.uid
                      && canAccessTopic(get(/databases/$(database)/documents/topics/$(topicId)).data)
                      && request.resource.data.time == request.time
                      && request.resource.data.content.size() <= 9000;

        allow update, delete: if false;
      }

      match /typing/{uid} {
        allow read: if request.auth != null && canAccessTopic(get(/databases/$(database)/documents/topics/$(topicId)).data);
        allow write: if request.auth != null && request.auth.uid == uid;
      }
    }
  }
}