Cloud functions seem to bypass validation rules, but it shouldn't

Question

    "connections-guests":{
      "$user_id":{
        "$to_user_id":{
          ".validate": "
            !root.child('/connections/' + $user_id + '/' + $to_user_id).exists()
          ",
          "score": {
              ".validate": "newData.val() * -1 <  now"
          },
          "$other": { ".validate": false }
        }
        }
    },

Apparently, on Cloud Functions, when I create this connections-guests node, it's always successful, regardless of .validate.

However, in the simulator (write: true for root) , validation rule is respected.

Likely answer below. If that's not it, share the code that is allowed to write and you think shouldn't. — Frank van Puffelen, Aug 19 '17 at 00:01

Frank van Puffelen · Answer 1 · 2017-08-18T23:51:59.260

4

Most likely you are accessing the database using the Admin SDK from within your Cloud Functions code. When you initialize the Admin SDK with its default settings it runs with full privilege and indeed bypasses the security rules.

If you don't want to run with administrative privilege, you can either initialize the Admin SDK to run at lower privilege, or you can access the database through event.data.ref, which runs as the user who triggered the function.

edited Aug 18 '17 at 23:51

answered Aug 18 '17 at 23:49

Frank van Puffelen

565,676
79
828
807

1

`runs as the user who triggered the function.` -> does this mean the user who created the node that triggered the `onCreate` listener? – TIMEX Aug 18 '17 at 23:51
Yeah, that's what the docs say. I've never had the opportunity/need to try though, so let me know if it works differently. – Frank van Puffelen Aug 18 '17 at 23:59

Cloud functions seem to bypass validation rules, but it shouldn't

1 Answers1