diff --git a/firestore.rules b/firestore.rules
index 82c7f5c3..48214e3b 100644
--- a/firestore.rules
+++ b/firestore.rules
@@ -45,9 +45,18 @@ service cloud.firestore {
       allow read;
     }
 
+    function commentMatchesUser(userId, comment) {
+      // it's a bad look if someone can impersonate other ids/names/avatars so check everything
+      let user = get(/databases/$(database)/documents/users/$(userId));
+      return comment.userId == userId
+        && comment.userName == user.data.name
+        && comment.userUsername == user.data.username
+        && comment.userAvatarUrl == user.data.avatarUrl;
+    }
+
     match /{somePath=**}/comments/{commentId} {
       allow read;
-      allow create: if request.auth != null;
+      allow create: if request.auth != null && commentMatchesUser(request.auth.uid, request.resource.data);
     }
 
     match /{somePath=**}/answers/{answerId} {
@@ -56,12 +65,16 @@ service cloud.firestore {
 
     match /folds/{foldId} {
       allow read;
-      allow update, delete: if request.auth.uid == resource.data.curatorId;
+      allow update: if request.auth.uid == resource.data.curatorId
+        && request.resource.data.diff(resource.data).affectedKeys()
+        .hasOnly(['name', 'about', 'tags', 'lowercaseTags']);
+      allow delete: if request.auth.uid == resource.data.curatorId;
     }
 
     match /{somePath=**}/followers/{userId} {
       allow read;
-      allow write: if request.auth.uid == userId;
+      allow create, update: if request.auth.uid == userId && request.resource.data.userId == userId;
+      allow delete: if request.auth.uid == userId;
     }
   }
 }