service cloud.firestore {
  match /databases/{database}/documents {
    // Incorrect solution
    match /public/{doc=**} {
      allow read;

      match /foo/{bar} {
        allow write: if doc == "foobar"; // Error! "doc" is a path object, not a string
      }
    }

    // Correct solution
    match /public/{doc} {
      allow read;

      match /foo/{bar} {
        allow read;
        allow write: if doc == "foobar"; // Correct, "doc" is now the document id
      }
    }
  }
}