I always get the mail about my Cloud Firestore security rules being insecure.
Every user can read the whole database
But I don't get it? These are my rules:
service cloud.firestore {
match /databases/{database}/documents {
match /users/{userID} {
allow read;
allow write: if request.auth != null;
}
match /users/{userId}/wishlists/{restOfPath=**} {
allow read,write: if request.auth != null;
}
}
}
users
should be readable for everyone but everything else should be restricted to authorized users only. What am I missing here?