Firestore security rules: request.query.limit not working with compound query

Question

 allow list: if request.query.limit <= 15;

This rule is simply ignored when used with compound query.

firestore().collection('orders').where('customerId', '==', uid)
      .where('orderStatusCode', 'in', [1, 2, 3])
      .limit(100)
      .get()....

Security rule:

  match /orders/{order} {
  allow list: if request.query.limit <= 15;

  allow read: if request.auth.uid == resource.data.customerId;
  allow create: if request.auth != null;
  allow update: if request.auth.uid == resource.data.customerId;
  allow delete: if false;
}

Answer 1

Firestore security rules will allow the operation if any of the security rules allow the operation.

In your case, you are allowing read access in the line after the list rule. read is a combination of get and list. get is for document specific query, and list is for query on a collection. Even though the list rule was denied, read rule was passing, so your query was getting data.

You can update your security rule like this for it to work:

match /orders/{order} {
  allow list: if request.query.limit <= 15;

  allow get: if request.auth.uid == resource.data.customerId;
  allow create: if request.auth != null;
  allow update: if request.auth.uid == resource.data.customerId;
  allow delete: if false;
}

Or, if you want to make data available to users where auth.uid == customerId, it would be like this:

match /orders/{order} {
  allow list: if request.query.limit <= 15 
  && request.auth.uid == resource.data.customerId;

  allow get: if request.auth.uid == resource.data.customerId;
  allow create: if request.auth != null;
  allow update: if request.auth.uid == resource.data.customerId;
  allow delete: if false;
}