Ensure permission checks don’t create subsequent checks

2017-12-06 13:20:34 +00:00 · 2017-12-06 13:20:34 +00:00 · 6d8686138a
commit 6d8686138a
parent e9b44c3cf2
2 changed files with 21 additions and 0 deletions
--- a/db/check.go
+++ b/db/check.go
@ -60,6 +60,13 @@ func (d *document) grant(ctx context.Context, when method) (ok bool, err error)
 		return false, err
 	}

+	// Once we have the table we reset the
+	// context to DB level so that no other
+	// embedded permissions are checked on
+	// records within these permissions.
+
+	ctx = context.WithValue(ctx, ctxKeyKind, cnf.AuthDB)
+
 	// We then try to process the relevant
 	// permissions dependent on the query
 	// that we are currently processing. If
@ -123,6 +130,13 @@ func (d *document) allow(ctx context.Context, when method) (ok bool, err error)
 		return false, err
 	}

+	// Once we have the table we reset the
+	// context to DB level so that no other
+	// embedded permissions are checked on
+	// records within these permissions.
+
+	ctx = context.WithValue(ctx, ctxKeyKind, cnf.AuthDB)
+
 	// We then try to process the relevant
 	// permissions dependent on the query
 	// that we are currently processing. If
--- a/db/iterator.go
+++ b/db/iterator.go
@ -500,6 +500,13 @@ func (i *iterator) processPerms(ctx context.Context, nsv, dbv, tbv string) {
 		}
 	}

+	// If the table does exist we reset the
+	// context to DB level so that no other
+	// embedded permissions are checked on
+	// records within these permissions.
+
+	ctx = context.WithValue(ctx, ctxKeyKind, cnf.AuthDB)
+
 	// If the table does exist we then try
 	// to process the relevant permissions
 	// expression, but only if they don't