From 8be7b7da0e30beae29d0bdc3840651b8cad7ccd2 Mon Sep 17 00:00:00 2001 From: null Date: Fri, 19 Jun 2026 21:52:19 -0500 Subject: [PATCH] chore: update couple create rule comment to reflect server-only flow (batch v0.2.20) --- firestore.rules | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/firestore.rules b/firestore.rules index ee0ef14b..691a5a91 100644 --- a/firestore.rules +++ b/firestore.rules @@ -200,8 +200,9 @@ service cloud.firestore { // Read: both members can read allow read: if isCouplesMember(coupleId); - // Create: acceptor creates the couple doc during pairing (client-side). - // Must be a member of the couple and include required fields. + // Create: server-side only via the acceptInviteCallable Cloud Function. + // The Admin SDK bypasses these rules. The shape check remains as defense + // in depth in case any other trusted server process creates a couple doc. allow create: if isSignedIn() && request.auth.uid in request.resource.data.userIds && request.resource.data.keys().hasAll([