Firestore security rules based on map values

Whenever you have (optional) nested properties you should make sure the property exists before continuing to check its' value eg.

allow read: if role in request.auth.token && request.auth.token[role] == true

in your case:

allow read: if test in resource.data.shared && resource.data.shared.test == true

, I was struggling a long time with roles until I realized that on non-admin users the admin field is undefined and firestore rules just crashes and doesn't continue checking other possible matches.

For a user without token.admin, this will always crash no matter if you have other matches that are true eg:

function userHasRole(role) {
  return isSignedIn() && request.auth.token[role] == true
}

Edit: This issue should be fixed now. If you're still seeing it (and are sure it's a bug with the rules evaluator), let me know in the comments.

I've chatted with some folks here about the problem you're encountering, and it appears to be an issue with the security rules itself. Essentially, the problem seems to be specific to evaluating nested fields in queries, like what you're doing.

So, basically, what you're doing should work fine, and you'll need to wait for an update from the Firestore team to make this query work. I'll try to remember to update this answer when that happens. Sorry 'bout that!