As stated in that email/warning message, the rules you have are not considered secure. As your rules currently stand, a malicious user could abuse your database by calling hundreds of requests to it which may lead to unexpected billing charges.
The trigger for this warning is simple - if "allow read; or "allow write;
is present on the /{document=**}
path, send the user the warning as these broad rules are considered a bug and should be tightened. One of the main reasons the warning exists is if you store sensitive user data like phone numbers, email addresses, billing information under a /users/someUserId
document - with the current rules this is now publicly accessible and can get you in toruble with data privacy laws and regulations like GDPR. There are a number of other similar conditions that also send similar warnings like if the system detects that the default 30 days of read/write access has expired.
If your data is expected to be publicly accessible, rather than grant read access to the entire database, grant it to the specific collections that you want to be public.
rules_version = '2';
service cloud.firestore {
match /databases/{database}/documents {
// public database of cars
match /cars/{carId} {
allow read;
}
// public database of trains
match /trains/{trainId} {
allow read;
}
// only that user can read/write their own data
match /users/{userId} {
allow read: if request.auth != null && request.auth.uid == userId;
allow write: if request.auth != null && request.auth.uid == userId;
}
}
}
I recommend having a read of the fixing insecure rules documentation for more information.
You can also make use of granular rules to limit the queries that can be performed against your database such as limiting getting a list of posts to 10 at a time.