Evaluation of write permissions in rules

I want to give the following write (document level) permission for a collection :

  "subscribers": {
    "$elemMatch": {
      "$eq": "%%user.id"

The user is denied the write access when removing itself from subscribers. It seems like the write permission is evaluated AFTER the write operation is committed, with the consequence that the operation is reverted because write access is refused.

Is this the expected behavior?

Hi @Tanguy_1,

Yes, the system is designed to validate the write permissions against the state of the object both before and after the modification (assuming the object is not inserted/deleted). Thus, when the user removes itself from the “subscribers” list, the write permissions check will fail on the updated state because the entry for "%%user.id" is no longer present. As you noted, the write is reverted due to the concept of “compensating writes”, which is described here.

Let me know if you have any other questions,

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.