Firebase Firestore security rules seem not applied at all

Question

I'm quite new to Firebase, but either I misunderstand something completely or there's something wrong with my Firebase account.

I added a Firestore Database to my Firebase app, and initially I chose it to be created in test mode. As far as I've read in the docs, test mode differs from production mode only by the default security rules.

I wanted to configure my rules properly, so the users can only access their own data.

However, I couldn't make it work, so I tried to configure my Firestore security rules to not allow any read or write operations to anyone. This is what I have currently set in Firestore Database -> Rules:

rules_version = '2';
    service cloud.firestore {
      match /databases/{database}/documents {
        match /{document=**} {
          allow read, write: if false;
        }
      }
    }

As I understand, these rules should not allow any read or writes in any collection in my database. The rules playground tells me exactly that when I try to run any request:

However, from my NextJS app I'm still able to get the data as follows:

import {
    getFirebaseAdmin
} from 'next-firebase-auth';
// ...
const categoriesDocument = await getFirebaseAdmin()
        .firestore()
        .collection('categories')
        .doc('D47pV7TxNpDNYNkHgfU0')
        .get();

and it all works just fine. I'm also sure the data is fetched from exactly this Firestore db, because when I alter some documents it's reflected in the data fetched.

I also noticed that in Firebase in Firestore Database -> Rules -> Monitor rules I see no results at all (total allows: 0, total denies: 0, total errors: 0).

Any idea what could be wrong here? What am I missing?

Answer 1

On the server, you're using firestore as admin. Rules don't apply there.