Summary
Firestore rules currently allow any authenticated user to read all users, groups, tasks, and rows, and to create/update rows under any task. Because the app is public and supports self-registration, client-side role filtering is not an access-control boundary.
Evidence
firestore.rules:30 allows authenticated reads of all users documents.firestore.rules:42 allows authenticated reads of all groups documents.firestore.rules:62 allows authenticated reads of all tasks documents.firestore.rules:83 allows authenticated reads of all task rows.firestore.rules:86 allows authenticated users to create any row.firestore.rules:90 allows authenticated users to update any row.src/lib/firebase/firestore.ts:59-72 and src/lib/firebase/firestore.ts:406-419 read all groups and filter client-side.
Impact
Any signed-in user can potentially enumerate user emails/display names, group membership/roles, uploaded CSV contents, hidden columns, worker submissions, and review comments. They can also directly call Firestore SDK/API to overwrite worker answers, mark rows completed/passed, submit fake review decisions, or corrupt unrelated tasks.
Minimal Fix
- Add Firestore helper functions for
isGroupMember(groupId), isGroupAdmin(groupId), isTaskMember(taskId), isAssignedWorker(taskId), and reviewer membership checks.
- Restrict
/users reads to self, or move invite-by-email lookup to a trusted backend/Cloud Function.
- Restrict
/groups reads to members only.
- Restrict
/tasks reads to group members, assigned workers, task creators/admins, or reviewers as appropriate.
- Restrict
/rows reads to users authorized for the parent task.
- Split row writes by role and allowed changed fields: worker updates only
writeData/worker status fields for assigned tasks; reviewer updates only review fields for tasks in their group.
- Replace collection-wide client reads with queries that only target authorized documents.
Acceptance Criteria
- A newly registered user who is not a group member cannot read any other user's groups/tasks/rows.
- A worker can read/write only their assigned task rows.
- A reviewer can read/review only tasks in groups where they have reviewer role.
- An admin can manage only groups/tasks they administer.
- Firestore rules tests or emulator checks cover the cases above.
Summary
Firestore rules currently allow any authenticated user to read all users, groups, tasks, and rows, and to create/update rows under any task. Because the app is public and supports self-registration, client-side role filtering is not an access-control boundary.
Evidence
firestore.rules:30allows authenticated reads of allusersdocuments.firestore.rules:42allows authenticated reads of allgroupsdocuments.firestore.rules:62allows authenticated reads of alltasksdocuments.firestore.rules:83allows authenticated reads of all taskrows.firestore.rules:86allows authenticated users to create any row.firestore.rules:90allows authenticated users to update any row.src/lib/firebase/firestore.ts:59-72andsrc/lib/firebase/firestore.ts:406-419read all groups and filter client-side.Impact
Any signed-in user can potentially enumerate user emails/display names, group membership/roles, uploaded CSV contents, hidden columns, worker submissions, and review comments. They can also directly call Firestore SDK/API to overwrite worker answers, mark rows completed/passed, submit fake review decisions, or corrupt unrelated tasks.
Minimal Fix
isGroupMember(groupId),isGroupAdmin(groupId),isTaskMember(taskId),isAssignedWorker(taskId), and reviewer membership checks./usersreads to self, or move invite-by-email lookup to a trusted backend/Cloud Function./groupsreads to members only./tasksreads to group members, assigned workers, task creators/admins, or reviewers as appropriate./rowsreads to users authorized for the parent task.writeData/worker status fields for assigned tasks; reviewer updates only review fields for tasks in their group.Acceptance Criteria