Cloud Firestore - still get "any user can write to your entire database" error

Question

I've added rules to my Cloud Firestore database but still receive these issue messages:

• any user can read your entire database
• any user can write to your entire database

See the rules below.

Indeed, any user can read and write into "users" collection, otherwise I won't be able to log in/register a user. How to solve the issue?

Thanks

Answer 1

The problem with your current rules is that it allows any user to read/write any other user's user document. You need to restrict it a bit more to look at the userId of the documents. Something like this

service cloud.firestore {
  match /databases/{database}/documents {

    // Ensure the user is authenticated
    function userIsAuthenticated() {
        return request.auth != null && request.auth.uid != null
    }

    // Ensure the user owns the existing resource
    function userOwnsResource() {
        return userIsAuthenticated() && request.auth.uid == resource.data.userId
    }

    // Ensure the user owns the new resource
    function userOwnsNewResource() {
      return userIsAuthenticated() && request.auth.uid == request.resource.data.userId 
    }

    match /users/{userId=**} {
      allow read, update, delete: if userOwnsResource();
      allow create: if userOwnsNewResource();
    }
  }
}

userOwnsResource checks that the user can access an existing resource. userOwnsNewResource checks that they can create a new document for their userId. You can obviously reuse these functions in other rules which is handy.