GitHub Security Flaw: Client-Side Guard in TD #525 Exposes All Soft-Deleted Team Documents to Any Authenticated User

A high-severity security vulnerability in a GitHub repository allows any authenticated user to bypass a client-side admin check and directly query the database for all soft-deleted team documents. The flaw, identified in a pre-PR scan for TD #525, stems from a critical mismatch between a frontend JavaScript guard and the backend Firestore security rules, effectively exposing sensitive internal data.

The issue originates in the `useTeamStore.subscribe()` function, where a new listener for soft-deleted teams is correctly gated by a check for an admin role (`profile?.role === 'admin'`). However, this check exists only in the client-side TypeScript code within `src/store/useTeamStore.ts`. The corresponding Firestore security rule for the `/teams/{teamId}` collection remains a simple `allow read: if request.auth != null;`, granting read access to any authenticated user. This discrepancy means an attacker can directly query the Firestore collection with a filter for `isDeleted == true` from a browser console, completely bypassing the intended admin-only restriction. The vulnerability is further compounded by the potential for client-side state manipulation to spoof an admin role.

This finding represents a classic insecure direct object reference (IDOR) risk, where authorization logic is enforced only at the application layer and not at the data layer. It exposes all soft-deleted team records—which could contain sensitive historical project data, member lists, or internal communications—to any user who can log into the system. The flaw highlights the critical importance of implementing consistent, server-side security rules that cannot be circumvented by client-side code manipulation or direct database queries.