Source: Deep code review — docs/code-review-2026-05.md (finding S5, P3). Verified still present on 2026-06-08 (firestore.rules:80).
Where: firestore.rules:80 — allow read: if true;
Issue: All recipes are publicly readable, including pending/unapproved user submissions — exposed to scrapers/bots.
Fix: allow read: if resource.data.approved == true || isOwner(resource.data.userId) || isManager();
⚠️ Verify all read paths first — the categories page currently filters approved client-side; this change pushes that filter server-side and may require query/index adjustments. Coordinate with the pagination work (P2/P3).
Source: Deep code review —
docs/code-review-2026-05.md(finding S5, P3). Verified still present on 2026-06-08 (firestore.rules:80).Where:
firestore.rules:80—allow read: if true;Issue: All recipes are publicly readable, including pending/unapproved user submissions — exposed to scrapers/bots.
Fix:
allow read: if resource.data.approved == true || isOwner(resource.data.userId) || isManager();