Why don't .validate security rules get run when data is removed from Firebase?

Question

My .validate rules don't seem to get executed when I'm deleting data from Firebase. Is this a bug or intentional behavior?

Answer 1

In general, .validate rules are used to define what the data should look like if it exists. They are intentionally not run when the data is deleted. You should instead use .write rules to make decisions about whether the write (or delete) should be allowed.

For example, consider these rules for securing a simple chat room, where users can create new chat rooms but only delete ones for which they are the owner:

{
  "rules": {
    ".read": true,
    "$room": {
      ".write": "auth != null && (
                   (!data.exists() && newData.child('owner').val() == auth.uid) ||
                   (!newData.exists() && data.child('owner').val() == auth.uid))",
      ".validate": "newData.hasChildren(['owner', 'name'])",
      "name": {
        ".validate": "newData.val().length > 10"
      },
      "messages": {
        ".write": "auth != null"
      }
    }
  }
}

The .write rule is used to decide if a user has permission to create / remove a chat room, and the .validate rules are used to define what a chat room should look like if it exists.

If the .validate rules were run on deletes, you could never delete a chat room (since both .validate rules would fail). Hence the decision not to run .validate rules on deletes.