![security-high](https://www.gstatic.com/codereviewagent/security-high-priority.svg) ![high](https://www.gstatic.com/codereviewagent/high-priority.svg)

![security-high](https://www.gstatic.com/codereviewagent/security-high-priority.svg) ![high](https://www.gstatic.com/codereviewagent/high-priority.svg)

The security rules for mentorships, tutorships, and pairings allow any authenticated user to create a document with any other user as a member, as long as the creator is also included in the `memberIds`. This allows an attacker to create 'fake' connections or overwrite existing ones, gaining access to the associated subcollections (tasks and notes) without the other user's consent.

_Originally posted by @gemini-code-assist[bot] in https://github.com/w3develops/w3Develops/pull/469#discussion_r2779374954_
            

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

![security-high](https://www.gstatic.com/codereviewagent/security-high-priority.svg) ![high](https://www.gstatic.com/codereviewagent/high-priority.svg) #476

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Uh oh!

![security-high](https://www.gstatic.com/codereviewagent/security-high-priority.svg) ![high](https://www.gstatic.com/codereviewagent/high-priority.svg) #476

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions