From da2d7c8b1fd6f7fc595bac14eea5d9fe09e6d358 Mon Sep 17 00:00:00 2001
From: anshul23102 <anshul23102@iiitd.ac.in>
Date: Fri, 29 May 2026 16:47:20 +0530
Subject: [PATCH] fix(#349): deny self-writes on members badges subcollection

Any authenticated user could previously write to their own
members/<uid>/badges/<badgeId> path because the rule allowed writes
when request.auth.uid == userId. Badge logic runs entirely client-side,
so this let any user award themselves arbitrary badges with a direct
Firestore set call, bypassing all earned-criteria checks.

Restrict the allow write condition to isSuperAdmin() only. Badge grants
should originate exclusively from trusted backend code (Cloud Functions
or Admin SDK) that verifies criteria before writing. The read rule is
unchanged.

Closes #349
---
 firestore.rules | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/firestore.rules b/firestore.rules
index 9e80a145..4af63426 100644
--- a/firestore.rules
+++ b/firestore.rules
@@ -85,9 +85,12 @@ service cloud.firestore {
       }
 
       // Badges Subcollection
+      // Badge grants must come from trusted backend (Cloud Functions / Admin SDK).
+      // Self-writes are intentionally denied to prevent users from awarding
+      // themselves arbitrary badges without meeting the criteria.
       match /badges/{badgeId} {
         allow read: if true;
-        allow write: if isSuperAdmin() || (request.auth != null && request.auth.uid == userId);
+        allow write: if isSuperAdmin();
       }
 
       // GitHub Repos Subcollection