added todo for the extra rule constraint

2026-03-04 22:14:49 +02:00
parent e9d4b1fe77
commit 4a40c1b897
1 changed files with 7 additions and 0 deletions
--- a/core/record_field_resolver.go
+++ b/core/record_field_resolver.go
@@ -184,6 +184,13 @@ func (r *RecordFieldResolver) updateQueryWithCollectionListRule(c *Collection, t
 		return fmt.Errorf("failed to build %q ListRule join subquery filter expression: %w", c.Name, err)
 	}

+	// Bind the extra rule expression at the top query level for performance and security reasons
+	// (it is more strict and minimizes the risk of data disclosure from a side-channel attack).
+	//
+	// @todo Investigate with the refactoring if there is a way to group it
+	// together with the client-side constraint that invoked it and benchmark
+	// it with many (tag.name="1"||...) like statements to evaluate the impact of applying the check many times.
+	// If not feasible - document it as caveat and maybe add --dev log.
 	query.AndWhere(expr)

 	if len(cloneR.joins) > 0 {