feat: restrict access to categories

firestore.rules

@@ -19,6 +19,10 @@ service cloud.firestore {
       return true;
     }
 
+    function noWriteAccess() {
+      return false;
+    }
+
     match /aggregations_rev20220126/{document=**} {
       allow read: if isPublicReadable();
       allow write: if isPublicWritable();
@@ -36,7 +40,7 @@ service cloud.firestore {
 
     match /question_categories_rev20231130/{document=**} {
       allow read: if isPublicReadable();
-      allow write: if isPublicWritable();
+      allow write: if noWriteAccess();
     }
 
     match /questions_rev20230926/{document=**} {
@@ -46,7 +50,7 @@ service cloud.firestore {
 
     match /research_categories_rev20221224/{document=**} {
       allow read: if isPublicReadable();
-      allow write: if isPublicWritable();
+      allow write: if noWriteAccess();
     }
 
     match /research_rev20201020/{document=**} {
@@ -84,12 +88,12 @@ service cloud.firestore {
 
     match /v3_categories/{document=**} {
       allow read: if isPublicReadable();
-      allow write: if isPublicWritable();
+      allow write: if noWriteAccess();
     }
 
     match /v3_tags/{document=**} {
       allow read: if isPublicReadable();
-      allow write: if isPublicWritable();
+      allow write: if noWriteAccess();
     }
 
     match /v3_users/{userId} {

packages/security-rules/tests/general.spec.ts

@@ -105,14 +105,11 @@ describe('community platform', () => {
   const publicCollections = [
     'aggregations_rev20220126',
     'discussions_rev20231022',
-    'question_categories_rev20231130',
     'questions_rev20230926',
-    'research_categories_rev20221224',
     'research_rev20201020',
     'user_notifications_rev20221209',
     'v3_howtos',
     'v3_mappins',
-    'v3_tags',
     'v3_users',
   ]
 
@@ -131,4 +128,27 @@ describe('community platform', () => {
       })
     })
   })
+
+  const readableCollections = [
+    'v3_categories',
+    'v3_tags',
+    'research_categories_rev20221224',
+    'question_categories_rev20231130',
+  ]
+
+  readableCollections.forEach((collection) => {
+    describe(`${collection}`, () => {
+      it(`${collection} allows READ`, async () => {
+        await assertSucceeds(getDoc(doc(unauthedDb, collection, 'bar')))
+      })
+
+      it(`${collection} does not allow WRITE`, async () => {
+        await assertFails(
+          setDoc(doc(unauthedDb, collection, 'bar'), {
+            email: '',
+          }),
+        )
+      })
+    })
+  })
 })