Expected behavior
When an author is given permissions to edit a chapter, they should only be able to edit that chapter.
Actual behavior
The front end verifies the condition above, but if a malicious author were to send a request from their client to edit a different chapter, it would be permitted, since the Firestore rule only checks if they have access to edit any chapter. This is not super consequential, but it is wrong.
Expected behavior
When an author is given permissions to edit a chapter, they should only be able to edit that chapter.
Actual behavior
The front end verifies the condition above, but if a malicious author were to send a request from their client to edit a different chapter, it would be permitted, since the Firestore rule only checks if they have access to edit any chapter. This is not super consequential, but it is wrong.