0👍
Ok, so… first of all, I don’t think you need anonymous access on your DB, which is that read: if true. The last statement:
match /{document=**} {
allow read, write: if request.auth.uid != null;
}
Is granting read access to all your database for authenticated users, and that should be enough. Rules are matched top-bottom, so the error you’re seeing is probably because you reach a read for the collection in question, but the references in it point to another collection, that, at that point has no permissions, however, by the time you reach the last statement, those permissions are granted, hence you are getting the data.
Source:stackexchange.com