diff --git a/db/check.go b/db/check.go index ed6cb7c6..8e17600a 100644 --- a/db/check.go +++ b/db/check.go @@ -60,6 +60,13 @@ func (d *document) grant(ctx context.Context, when method) (ok bool, err error) return false, err } + // Once we have the table we reset the + // context to DB level so that no other + // embedded permissions are checked on + // records within these permissions. + + ctx = context.WithValue(ctx, ctxKeyKind, cnf.AuthDB) + // We then try to process the relevant // permissions dependent on the query // that we are currently processing. If @@ -123,6 +130,13 @@ func (d *document) allow(ctx context.Context, when method) (ok bool, err error) return false, err } + // Once we have the table we reset the + // context to DB level so that no other + // embedded permissions are checked on + // records within these permissions. + + ctx = context.WithValue(ctx, ctxKeyKind, cnf.AuthDB) + // We then try to process the relevant // permissions dependent on the query // that we are currently processing. If diff --git a/db/iterator.go b/db/iterator.go index a7b96119..4347c002 100644 --- a/db/iterator.go +++ b/db/iterator.go @@ -500,6 +500,13 @@ func (i *iterator) processPerms(ctx context.Context, nsv, dbv, tbv string) { } } + // If the table does exist we reset the + // context to DB level so that no other + // embedded permissions are checked on + // records within these permissions. + + ctx = context.WithValue(ctx, ctxKeyKind, cnf.AuthDB) + // If the table does exist we then try // to process the relevant permissions // expression, but only if they don't