Writing null to non-existent node triggers create() validation

[dotdoom]

With the following rules:

objectAccess(objectId) {
  root.object_access[objectId][auth.uid]
}

path /shared/{userId}/{objectId} is Obj {
  create() {
    objectAccess(objectId) === "owner" &&
    this.sharing_accepted_by_receiver == false
  }
  <...>
}

And database looking like:

{
  "object_access": {
    "obj1": {
      "user1": "owner",
      "user2": "read",
    }
  }
}

There are 2 pitfalls I have encountered so far:

• "un-sharing" scenario: writing

  /shared/user2/obj1 = null
  /object_access/obj1/user2 = null

  triggers create() even though that node is not being created, subsequently failing on sharing_accepted_by_receiver == false;

• "deleting" scenario: writing

  /shared/user2/obj1 = null
  /object_access/obj1 = null

  triggers create() even though that node is not being created, subsequently failing on objectAccess === "owner".

Is this expected behavior? I'd expect in this case to skip all of CRUD alltogether and allow the write.

I understand that this may allow certain "probing" of the database by malicious users (to find null values), but it's still counter-intuitive and should likely be documented.