0👍
✅
It sounds like what you’re trying to do isn’t possible with security rules. If your rules don’t allow read access to a document, then there is no chance of anyone getting data out of it. It’s not possible to write a rule that allows someone to read a document if they simply know some data that’s inside it.
You’re probably going to have to create an API (using Cloud Functions if you want) that takes the email address as a parameter, performs the query, and sends the whatever result back to the client.
Source:stackexchange.com