Cloud functions seem to bypass validation rules, but it shouldn't

Question

    \"connections-guests\":{
      \"$user_id\":{
        \"$to_user_id\":{
          \".validate\": \"
            !root.child(\'/connections/\' + $user_id + \'/\'          


        

Answer 1

Most likely you are accessing the database using the Admin SDK from within your Cloud Functions code. When you initialize the Admin SDK with its default settings it runs with full privilege and indeed bypasses the security rules.

If you don't want to run with administrative privilege, you can either initialize the Admin SDK to run at lower privilege, or you can access the database through event.data.ref, which runs as the user who triggered the function.