Firestore Rules

Question

I have the following rules in my Firestore database. But I still keep getting a notification from Firestore that the rules I set in my database are not secure. Please see the codes below. Any suggestions or recommendations to make the database more secure?

    rules_version = '2';
    service cloud.firestore {
    match /databases/{database}/documents {

match /{document=**} {
  allow read: if true;
  allow write: if userIsAdmin();
}

match /Basket/{Basket} {
  allow read, update, delete: if userOwnPost();
  allow create: if request.auth.uid != null;

}

match /AllOrders/{AllOrders} {
    allow read, create, update: if userOwnPost(); 

}

 match /Items/{Items} {
    allow update: if userOwnPost(); 

}

match /Voucher/{Voucher} {
    allow update: if userOwnPost(); 

}

match /User/{User} {
    allow read, update: if userOwnPost();
  allow create: if request.auth.uid != null;
}

function userIsAdmin() {
    return getUserData().userRole == 'Admin';
}

function getUserData() {
    return get(/databases/$(database)/documents/User/$(request.auth.uid)).data;
}


function userOwnPost() {
  return getUserData().objectId == request.auth.uid;
}

      }
    }

Answer 1

You have some overlapping match statements in your rules:

With

match /{document=**} {
  allow read: if true;
  allow write: if userIsAdmin();
}

you allow read access on all documents in your Firestore database.

As explained in the doc (section "Overlapping match statements"), "in the case where multiple allow expressions match a request, the access is allowed if any of the conditions is true".

So all your other security rules are just overlapped by this one.