Comment by GVRV
Didn't they already have these rules in place? And the vulnerability was when the owner was updating the resource to have a new owner?
Didn't they already have these rules in place? And the vulnerability was when the owner was updating the resource to have a new owner?
In my limited experience, I've seen it handled by adding the user's ID in the path of any resource that belongs to a particular user, so that the user ID from the resource path can be compared with the authenticated user ID as a security rule condition.
But as expected, you can validate the incoming data as well https://firebase.google.com/docs/firestore/security/rules-co... but this would need to be done for any attribute that might lead to a change of ownership.
Unclear if they had these rules in place already but I'm curious... If the rule permits writing when the userid matches, presumably there is nothing stopping the write operation to change the userid value, to your point.
Which then leads me to the next question, what is the practical way to write rules against that operation?