Security Oddity

[MrRSquared]

I accidentally found an odd loophole in the security rules.

If someone who is not an admin manually goes to scouting-.web.app/admin-panel
They can still adjust the game dropdown.
When they do that, it locks the game into that game. No one else has permission to change it. They become the only user able to change the game.

I also am not able to fix it. Admittedly, our database is not completely set up, so it could just be an issue on our end, but it is a potential issue.

[noamzaks]

Sorry for the slow response, unfortunately I only noticed this now!

I believe I fixed some part of the issue in the latest commit.

Notes:

• [Fixed] the default is now that someone is not an admin until proven otherwise, where previously (admittedly, we probably wasn't thinking very clearly) someone was an admin until the firebase request went through.
• In the end, anyone can set their own "angular website" with the firebase config and try to manipulate the application. Most of the actual security lies in the Firestore rules.
• Indeed the Firestore rules had issues as well! I fixed them in the (now) latest commit.
• The Firestore "Rules Playground" is very useful to make sure everything is secure.