Missing user ownership validation in path The rules use a path structure intended for user-private storage (e.g.