storage.rules

rules_version = '2';

service firebase.storage {
  match /b/{bucket}/o {
    // Helper function to get user role from Firestore.
    // Note: Using this function in storage rules can sometimes be less reliable or performant
    // than direct checks if complex logic is involved or if the user document might not exist.
    // For the write rule below, we're simplifying to just check auth.
    function getUserRole(userId) {
      // This attempts to get the role. It's important that the document and role field exist.
      // For the simplified write rule below, this function is not strictly needed but kept for context.
      return get(/databases/$(database)/documents/users/$(userId)).data.role;
    }

    // Rules for event images
    // Path: /event-images/{anyFileId} (e.g., /event-images/eventId/filename.jpg)
    match /event-images/{allPaths=**} {
      // Authenticated users can read event images.
      allow read: if request.auth != null;

      // Any authenticated user can write (upload/update/delete) event images.
      // The UI and Firestore rules for event creation will handle role-based restrictions for *creating* an event.
      allow write: if request.auth != null;
    }

    // Rules for event brochures
    // Path: /event-brochures/{anyFileId} (e.g., /event-brochures/eventId/brochure.pdf)
    match /event-brochures/{allPaths=**} {
      // Authenticated users can read event brochures
      allow read: if request.auth != null;

      // Any authenticated user can write (upload/update/delete) event brochures
      // The UI and Firestore rules for event creation will handle role-based restrictions
      allow write: if request.auth != null;
    }

    // Default deny all other paths if not explicitly allowed.
    // This rule must be the last one in this scope to act as a catch-all.
    match /{path=**} {
      allow read, write: if false;
    }
  }
}