From b64ae1f29a7c3cf0ea7f8a80a5fea4cd9237fe2b Mon Sep 17 00:00:00 2001 From: null Date: Sat, 20 Jun 2026 01:19:02 -0500 Subject: [PATCH] fix: block answer delete in rules, enforce userId match on create (batch v1.0.18) --- firestore.rules | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/firestore.rules b/firestore.rules index a393ff07..a739b6bd 100644 --- a/firestore.rules +++ b/firestore.rules @@ -363,9 +363,10 @@ service cloud.firestore { // Accepts schemaVersion 3 (sealed:v1: partner-proof) or schemaVersion 2 (enc:v1: couple-key). match /answers/{userId} { allow read: if isCouplesMember(coupleId); - allow delete: if isOwner(userId); + allow delete: if false; allow create: if isCouplesMember(coupleId) && isOwner(userId) + && request.resource.data.userId == request.auth.uid && coupleEncryptionEnabled(coupleId) && ( isSealedThreadAnswerCreate(request.resource.data)