Firestore Has No Visible Security Rules

[ameyvaidya44]

Severity: High

There is no indication of Firestore security rules being defined or enforced. If rules are missing or overly permissive, anyone with the project configuration can directly interact with the database.

Potential risks include:

Reading all user data
Writing arbitrary data (e.g., setting isPremium: true)
Deleting or modifying collections

Because Firebase configs are public by design, security must come from rules—not obscurity.

Why this matters:
This is a direct data integrity and privacy risk. Attackers don’t even need to use the app—they can interact with Firestore directly via SDKs or REST APIs.

What’s needed:
Strict Firestore security rules enforcing:

Authentication requirements
Role-based access control
Field-level validation (e.g., preventing arbitrary writes to isPremium)

[Saranyadharani]

Hi @ameyvaidya44,

I can implement Firestore security rules for this critical issue!

My approach:

1. Create comprehensive firestore.rules file
2. Enforce authentication requirement on all collections
3. Implement role-based access control (user vs admin)
4. Add field-level validation (prevent writing to isPremium)
5. Create test rules file firestore.rules.test

Could you please assign this to me?

Thanks!