I want users to be able to create a message (with contact form), but not allow them to read or update. I am adding a new contact as follows:
app.firestore().collection("messages").add({
name: this.state.name,
subject: this.state.subject,
message: this.state.message});
With the following security rules this is allowed:
match /messages/{message}{
allow read, delete: if request.auth.uid=="<SOME_ID>";
allow create: if true;
}
But when I add an update rule like below, I get an unsufficient permission error when adding a new message.
match /messages/{message}{
allow read, delete, update: if request.auth.uid=="<SOME_ID>";
allow create: if true;
}
If I move the update rule below the create, this still doesn't work. But have tried, to set update to "always allow/true" after which the add action works again.
It therefore seems that Firestore somehow looks at the strictest rule out of the update and create rules, but only if the rule for update is explicitly defined. Am I doing something wrong here?
Edit:
match /messages/{message}{
allow read, delete: if request.auth.uid=="<SOME_ID>";
allow create: if true; allow update: if false }
Does not lead to permission issues.. So the behaviour seems specific to the type of check I am doing here..
See Question&Answers more detail:os
