From 52620fa9ce3c211d10d4639d5d91bb2a6197f144 Mon Sep 17 00:00:00 2001
From: Tobie Morgan Hitchcock <tobie@abcum.com>
Date: Thu, 21 Jul 2016 22:49:34 +0100
Subject: [PATCH] Ensure requester is allowed to select/update/delete each
 document

---
 db/create.go | 4 ++++
 db/delete.go | 4 ++++
 db/modify.go | 4 ++++
 db/select.go | 3 ++-
 db/update.go | 4 ++++
 5 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/db/create.go b/db/create.go
index 1622fb48..45033228 100644
--- a/db/create.go
+++ b/db/create.go
@@ -65,6 +65,10 @@ func executeCreateStatement(ast *sql.CreateStatement) (out []interface{}, err er
 
 func create(txn kvs.TX, doc *item.Doc, ast *sql.CreateStatement) (out interface{}, err error) {
 
+	if !doc.Allow(txn, "create") {
+		return nil, nil
+	}
+
 	if err = doc.Merge(txn, ast.Data); err != nil {
 		return nil, err
 	}
diff --git a/db/delete.go b/db/delete.go
index d35c0bf3..faeddf34 100644
--- a/db/delete.go
+++ b/db/delete.go
@@ -67,6 +67,10 @@ func executeDeleteStatement(ast *sql.DeleteStatement) (out []interface{}, err er
 
 func delete(txn kvs.TX, doc *item.Doc, ast *sql.DeleteStatement) (out interface{}, err error) {
 
+	if !doc.Allow(txn, "delete") {
+		return nil, nil
+	}
+
 	if !doc.Check(txn, ast.Cond) {
 		return nil, nil
 	}
diff --git a/db/modify.go b/db/modify.go
index 97d7d01c..4ac861f5 100644
--- a/db/modify.go
+++ b/db/modify.go
@@ -53,6 +53,10 @@ func executeModifyStatement(ast *sql.ModifyStatement) (out []interface{}, err er
 
 func modify(txn kvs.TX, doc *item.Doc, ast *sql.ModifyStatement) (out interface{}, err error) {
 
+	if !doc.Allow(txn, "modify") {
+		return nil, nil
+	}
+
 	if !doc.Check(txn, ast.Cond) {
 		return nil, nil
 	}
diff --git a/db/select.go b/db/select.go
index 77ac11c5..88227bcb 100644
--- a/db/select.go
+++ b/db/select.go
@@ -16,6 +16,7 @@ package db
 
 import (
 	"github.com/abcum/surreal/sql"
+	"github.com/abcum/surreal/util/data"
 )
 
 func executeSelectStatement(ast *sql.SelectStatement) (out []interface{}, err error) {
@@ -26,7 +27,7 @@ func executeSelectStatement(ast *sql.SelectStatement) (out []interface{}, err er
 
 		out = append(out, map[string]interface{}{
 			"key": string(kv.Key()),
-			"val": string(kv.Val()),
+			"val": data.NewFromPACK(kv.Val()).Data(),
 		})
 	}
 
diff --git a/db/update.go b/db/update.go
index c1d1e152..744d6eca 100644
--- a/db/update.go
+++ b/db/update.go
@@ -67,6 +67,10 @@ func executeUpdateStatement(ast *sql.UpdateStatement) (out []interface{}, err er
 
 func update(txn kvs.TX, doc *item.Doc, ast *sql.UpdateStatement) (out interface{}, err error) {
 
+	if !doc.Allow(txn, "update") {
+		return nil, nil
+	}
+
 	if !doc.Check(txn, ast.Cond) {
 		return nil, nil
 	}