From 6d8686138ae75ddac9d17ab12e75240e1d1d62ba Mon Sep 17 00:00:00 2001 From: Tobie Morgan Hitchcock Date: Wed, 6 Dec 2017 13:20:34 +0000 Subject: [PATCH] =?UTF-8?q?Ensure=20permission=20checks=20don=E2=80=99t=20?= =?UTF-8?q?create=20subsequent=20checks?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- db/check.go | 14 ++++++++++++++ db/iterator.go | 7 +++++++ 2 files changed, 21 insertions(+) diff --git a/db/check.go b/db/check.go index ed6cb7c6..8e17600a 100644 --- a/db/check.go +++ b/db/check.go @@ -60,6 +60,13 @@ func (d *document) grant(ctx context.Context, when method) (ok bool, err error) return false, err } + // Once we have the table we reset the + // context to DB level so that no other + // embedded permissions are checked on + // records within these permissions. + + ctx = context.WithValue(ctx, ctxKeyKind, cnf.AuthDB) + // We then try to process the relevant // permissions dependent on the query // that we are currently processing. If @@ -123,6 +130,13 @@ func (d *document) allow(ctx context.Context, when method) (ok bool, err error) return false, err } + // Once we have the table we reset the + // context to DB level so that no other + // embedded permissions are checked on + // records within these permissions. + + ctx = context.WithValue(ctx, ctxKeyKind, cnf.AuthDB) + // We then try to process the relevant // permissions dependent on the query // that we are currently processing. If diff --git a/db/iterator.go b/db/iterator.go index a7b96119..4347c002 100644 --- a/db/iterator.go +++ b/db/iterator.go @@ -500,6 +500,13 @@ func (i *iterator) processPerms(ctx context.Context, nsv, dbv, tbv string) { } } + // If the table does exist we reset the + // context to DB level so that no other + // embedded permissions are checked on + // records within these permissions. + + ctx = context.WithValue(ctx, ctxKeyKind, cnf.AuthDB) + // If the table does exist we then try // to process the relevant permissions // expression, but only if they don't