What recent change to Firestore makes it complain about “Overlapping recursive wildcard match statement”?

  • A+

Today I noticed that I am unable to deploy my Firestore rules, even though they worked fine until now and I didn't change them. Here's an excerpt of the part it doesn't like:

match /databases/{database}/documents {      function userMatchesId(userId) {       return request.auth != null           && request.auth.uid == userId     }      function userIsAdmin() {       return request.auth != null           && get(/databases/$(database)/documents/users/$(request.auth.uid)).data.role == "admin"     }      // === Admins ====     // Admin users are allowed to access everythings.     // Writes should be performed via code executed by a service account     match /{document=**} {       allow read: if userIsAdmin()     }      // ==== Private ====     // Collections private to the user. Documents read access is matched     // with the authenticated user id.     match /users/{userId} {       allow get: if userMatchesId(userId)     }      match /userCredits/{userId} {       allow get: if userMatchesId(userId)     } } 

In practice these rules have worked as I imagined it. Admins are allowed to read from collections that non-admins are not able to query directly. However, now I get this error during deployment:

Error: Compilation error in firestore.rules:

[W] 42:5 - Overlapping recursive wildcard match statement.

I do not quite understand the issue here. How would you fix this?


(Googler here) This is a mistake on our part. We are adding new compiler warnings to rules that help you notice bugs you may be introducing. Many people don't realize that if you have more than one match statement that matches a particular path, then the rules from those blocks are OR'ed together. This warning was supposed to help you discover that.

However it was never intended for this to stop you from deploying valid rules if you understand what you're doing! We will fix this.

Update 8/1 @ 11:50am PST

We are making two changes here:

  • We are releasing the CLI (npm firebase-tools) at version 4.0.2 with a fix for this issue to make warnings non-fatal. This should happen momentarily.
  • We are going to change the server behavior to undo/clarify this behavior until we get it right.


:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: