From 444a38986a44038ca19f7a0b1ec6c8620efed66c Mon Sep 17 00:00:00 2001
From: Tobie Morgan Hitchcock <tobie@abcum.com>
Date: Fri, 27 Apr 2018 00:40:59 +0100
Subject: [PATCH] Ensure field permissions are correctly applied

---
 db/yield.go | 28 ++++++++++++++--------------
 1 file changed, 14 insertions(+), 14 deletions(-)

diff --git a/db/yield.go b/db/yield.go
index 1a250b5e..a9840d13 100644
--- a/db/yield.go
+++ b/db/yield.go
@@ -25,48 +25,48 @@ import (
 
 func (d *document) cold(ctx context.Context) (doc *data.Doc, err error) {
 
+	// We need to copy the document so that
+	// we can add and remove the fields which
+	// are relevant to the particular query.
+
+	doc = d.initial.Copy()
+
 	// If we are not authenticated using DB,
 	// NS, or KV level, then we need to check
 	// document permissions for this query.
 
 	if k, ok := ctx.Value(ctxKeyKind).(cnf.Kind); ok {
 		if k == cnf.AuthSC {
-			if err = d.perms(ctx, d.initial); err != nil {
+			if err = d.perms(ctx, doc); err != nil {
 				return nil, err
 			}
 		}
 	}
 
-	// We need to copy the document so that
-	// we can add and remove the fields which
-	// are relevant to the particular query.
-
-	doc = d.initial.Copy()
-
 	return
 
 }
 
 func (d *document) cnow(ctx context.Context) (doc *data.Doc, err error) {
 
+	// We need to copy the document so that
+	// we can add and remove the fields which
+	// are relevant to the particular query.
+
+	doc = d.current.Copy()
+
 	// If we are not authenticated using DB,
 	// NS, or KV level, then we need to check
 	// document permissions for this query.
 
 	if k, ok := ctx.Value(ctxKeyKind).(cnf.Kind); ok {
 		if k == cnf.AuthSC {
-			if err = d.perms(ctx, d.current); err != nil {
+			if err = d.perms(ctx, doc); err != nil {
 				return nil, err
 			}
 		}
 	}
 
-	// We need to copy the document so that
-	// we can add and remove the fields which
-	// are relevant to the particular query.
-
-	doc = d.current.Copy()
-
 	return
 
 }