Is there a way for a user to only be able to read a document only if they have the exact document ID?
// should fail:
db.collection(`docs`).get()
// should succeed:
db.doc(`docs/${docId}`).get()It'll be like how if you have link sharing on in a Google Doc and you can only access the Doc if you have the link.
Yes that is possible, and actually quite easy once you realize that read in your security rules is a shorthand for two more granular operations: list and get.
So if you only allow get, the user must know a specific document ID, and they can't get the entire collection or query it.
Also see the documentation on granular security rules operations.
