Collection group queries getting denied by firebase rules

Question

there's users, projects as top level collections, and tasks as a subcollection of projects Below is security rules and i am having troubles allowing collection group queries on tasks. doesnt seem to work even if i remove the check for createdBy, when i run the simulator for a task resource, my rules works

match /projects/{projectID} {
  allow read, delete, update: if request.auth.uid == resource.data.createdBy;
  allow create: if request.auth != null;
}

match /users/{userID} {
    allow read, delete, update: if request.auth.uid == userID;
  allow create: if request.auth != null;
}

match /projects/{projectID}/tasks/{taskID} {
  allow read, delete, update: if request.auth.uid == resource.data.createdBy;
  allow create: if request.auth != null;
}

here is my collectiongroup query

_firestore
    .collectionGroup('tasks')
    .where('dueDate', isEqualTo: DateTimeHelper.today)
    .where('createdBy', isEqualTo: user.id)
    .snapshots()
    .map((list) => list.documents.map((doc) {
          String projectId = doc.reference.parent().parent().documentID;
          String taskId = doc.documentID;
          return Task.fromDocument(doc, taskId, projectId);
        }).toList());

Answer 1

None of your rules apply to collection group queries. You should review the documentation on rules for collection groups. From that page:

In your security rules, you must explicitly allow collection group queries by writing a rule for the collection group:

1. Make sure rules_version = '2'; is the first line of your ruleset. Collection group queries require the new recursive wildcard {name=**} behavior of security rules version 2.
2. Write a rule for you collection group using match /{path=**}/[COLLECTION_ID]/{doc}.

So your rule will look more like this:

rules_version = '2';  // at the very top of your rules

match /{path=**}/tasks/{taskID} {
  allow read, delete, update: if request.auth.uid == resource.data.createdBy;
  allow create: if request.auth != null;
}