Reputation: 35
Firestore create security rule not behaving as expected
I created a jobs collection with a job document having a job id (XAXhAJh71hHbe1fY7blZ) and added the following security rules:
match /{document=**} {
allow read, write: if false;
}
match /jobs/{jobId} {
allow create: if request.auth.uid != null;
}
According to the docs create "Applies to writes to nonexistent documents". Namely if the document exists this operation should be rejected.
However the Firestore simulator allows to create over existing document id. Namely executing create on /jobs/XAXhAJh71hHbe1fY7blZ is being allowed by the emulator even though that the document exists in the database.
Firestore simulator screenshot
Upvotes: 0
Views: 47
Answers (1)
Reputation: 317798
You misunderstood the definition of create. Your second sentence here isn't correct:
According to the docs create "Applies to writes to nonexistent documents". Namely if the document exists this operation should be rejected.
The create rule doesn't reject anything if the document is already present. If the document is already present and being updated, the create rule doesn't apply at all. Instead, any update or write rules will apply. If no matching update or write rules allow access to the document, then the update will be rejected.
Upvotes: 1
Related Questions
- Super basic firestore security rule won't work
- Problem Setting up Security Rules in FIrestore
- Firestore Security Rules not working as expected
- Firestore Security rule always returns null for resource
- Firebase firestore security rules not working
- problems with firestore security rules
- Why isn't this Firestore security rule being enforced?
- Firestore security rule not working
- Firestore rule to allow authenticated user to create documents not working
- Cloud Firestore Security Rule exists() doesn't work