From 4a40c1b8979a1a206209ba68809ade0ca859e9d7 Mon Sep 17 00:00:00 2001 From: Gani Georgiev Date: Wed, 4 Mar 2026 22:14:49 +0200 Subject: [PATCH] added todo for the extra rule constraint --- core/record_field_resolver.go | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/core/record_field_resolver.go b/core/record_field_resolver.go index a4f63099..dca38dad 100644 --- a/core/record_field_resolver.go +++ b/core/record_field_resolver.go @@ -184,6 +184,13 @@ func (r *RecordFieldResolver) updateQueryWithCollectionListRule(c *Collection, t return fmt.Errorf("failed to build %q ListRule join subquery filter expression: %w", c.Name, err) } + // Bind the extra rule expression at the top query level for performance and security reasons + // (it is more strict and minimizes the risk of data disclosure from a side-channel attack). + // + // @todo Investigate with the refactoring if there is a way to group it + // together with the client-side constraint that invoked it and benchmark + // it with many (tag.name="1"||...) like statements to evaluate the impact of applying the check many times. + // If not feasible - document it as caveat and maybe add --dev log. query.AndWhere(expr) if len(cloneR.joins) > 0 {