From 400ed09ecbf94414b2e2b88b8272f62967bcc65e Mon Sep 17 00:00:00 2001
From: Tobie Morgan Hitchcock <tobie@abcum.com>
Date: Sun, 16 Oct 2022 22:22:13 +0100
Subject: [PATCH] Ensure PERMISSIONS clauses are not run for ROOT / NS / DB
 users

---
 lib/src/doc/pluck.rs | 33 ++++++++++++++++++++-------------
 1 file changed, 20 insertions(+), 13 deletions(-)

diff --git a/lib/src/doc/pluck.rs b/lib/src/doc/pluck.rs
index 2b0b20fd..b6b4b851 100644
--- a/lib/src/doc/pluck.rs
+++ b/lib/src/doc/pluck.rs
@@ -55,19 +55,26 @@ impl<'a> Document<'a> {
 			for fd in self.fd(opt, txn).await?.iter() {
 				// Loop over each field in document
 				for k in out.each(&fd.name).iter() {
-					// Process field permissions
-					match &fd.permissions.select {
-						Permission::Full => (),
-						Permission::None => out.del(ctx, opt, txn, k).await?,
-						Permission::Specific(e) => {
-							// Get the current value
-							let val = self.current.pick(k);
-							// Configure the context
-							let mut ctx = Context::new(ctx);
-							ctx.add_value("value".into(), &val);
-							// Process the PERMISSION clause
-							if !e.compute(&ctx, opt, txn, Some(&self.current)).await?.is_truthy() {
-								out.del(&ctx, opt, txn, k).await?
+					// Check for a PERMISSIONS clause
+					if opt.perms && opt.auth.perms() {
+						// Process field permissions
+						match &fd.permissions.select {
+							Permission::Full => (),
+							Permission::None => out.del(ctx, opt, txn, k).await?,
+							Permission::Specific(e) => {
+								// Get the current value
+								let val = self.current.pick(k);
+								// Configure the context
+								let mut ctx = Context::new(ctx);
+								ctx.add_value("value".into(), &val);
+								// Process the PERMISSION clause
+								if !e
+									.compute(&ctx, opt, txn, Some(&self.current))
+									.await?
+									.is_truthy()
+								{
+									out.del(&ctx, opt, txn, k).await?
+								}
 							}
 						}
 					}