Ensure permission checks don’t create subsequent checks

db/check.go

@@ -60,6 +60,13 @@ func (d *document) grant(ctx context.Context, when method) (ok bool, err error)
 		return false, err
 	}
 
+	// Once we have the table we reset the
+	// context to DB level so that no other
+	// embedded permissions are checked on
+	// records within these permissions.
+
+	ctx = context.WithValue(ctx, ctxKeyKind, cnf.AuthDB)
+
 	// We then try to process the relevant
 	// permissions dependent on the query
 	// that we are currently processing. If
@@ -123,6 +130,13 @@ func (d *document) allow(ctx context.Context, when method) (ok bool, err error)
 		return false, err
 	}
 
+	// Once we have the table we reset the
+	// context to DB level so that no other
+	// embedded permissions are checked on
+	// records within these permissions.
+
+	ctx = context.WithValue(ctx, ctxKeyKind, cnf.AuthDB)
+
 	// We then try to process the relevant
 	// permissions dependent on the query
 	// that we are currently processing. If

db/iterator.go

@@ -500,6 +500,13 @@ func (i *iterator) processPerms(ctx context.Context, nsv, dbv, tbv string) {
 		}
 	}
 
+	// If the table does exist we reset the
+	// context to DB level so that no other
+	// embedded permissions are checked on
+	// records within these permissions.
+
+	ctx = context.WithValue(ctx, ctxKeyKind, cnf.AuthDB)
+
 	// If the table does exist we then try
 	// to process the relevant permissions
 	// expression, but only if they don't