OpenSaasAU
diff --git a/‎packages/core/src/access/engine.ts‎
Lines changed: 85 additions & 70 deletions b/‎packages/core/src/access/engine.ts‎
Lines changed: 85 additions & 70 deletions
diff --git a/‎packages/core/src/access/index.ts‎
Lines changed: 1 addition & 0 deletions b/‎packages/core/src/access/index.ts‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎packages/core/src/context/index.ts‎
Lines changed: 33 additions & 6 deletions b/‎packages/core/src/context/index.ts‎
Lines changed: 33 additions & 6 deletions
diff --git a/‎packages/core/tests/access-relationships.test.ts‎
Lines changed: 23 additions & 43 deletions b/‎packages/core/tests/access-relationships.test.ts‎
Lines changed: 23 additions & 43 deletions
@@ -170,6 +170,74 @@ function matchesFilter(item: any, filter: Record<string, any>): boolean {
   return true;
 }
 
+/**
+ * Build Prisma include object with access control filters
+ * This allows us to filter relationships at the database level instead of in memory
+ */
+export async function buildIncludeWithAccessControl(
+  fieldConfigs: Record<string, FieldConfig>,
+  args: {
+    session: Session;
+    context: AccessContext;
+  },
+  config: OpenSaaSConfig,
+  depth: number = 0,
+): Promise<Record<string, any> | undefined> {
+  const MAX_DEPTH = 5;
+  if (depth >= MAX_DEPTH) {
+    return undefined;
+  }
+
+  const include: Record<string, any> = {};
+  let hasRelationships = false;
+
+  for (const [fieldName, fieldConfig] of Object.entries(fieldConfigs)) {
+    if (fieldConfig?.type === "relationship") {
+      hasRelationships = true;
+      const relatedConfig = getRelatedListConfig(fieldConfig.ref, config);
+
+      if (relatedConfig) {
+        // Check query access for the related list
+        const queryAccess = relatedConfig.listConfig.access?.operation?.query;
+        const accessResult = await checkAccess(queryAccess, {
+          session: args.session,
+          context: args.context,
+        });
+
+        // If access is completely denied, exclude this relationship
+        if (accessResult === false) {
+          continue;
+        }
+
+        // Build the include entry
+        const includeEntry: Record<string, any> = {};
+
+        // If access returns a filter, add it to the where clause
+        if (typeof accessResult === "object") {
+          includeEntry.where = accessResult;
+        }
+
+        // Recursively build nested includes
+        const nestedInclude = await buildIncludeWithAccessControl(
+          relatedConfig.listConfig.fields,
+          args,
+          config,
+          depth + 1,
+        );
+
+        if (nestedInclude && Object.keys(nestedInclude).length > 0) {
+          includeEntry.include = nestedInclude;
+        }
+
+        // Add to include object
+        include[fieldName] = Object.keys(includeEntry).length > 0 ? includeEntry : true;
+      }
+    }
+  }
+
+  return hasRelationships ? include : undefined;
+}
+
 /**
  * Filter fields from an object based on read access
  * Recursively applies access control to nested relationships
@@ -206,7 +274,9 @@ export async function filterReadableFields<T extends Record<string, any>>(
       continue;
     }
 
-    // Handle relationship fields with nested access control
+    // Handle relationship fields - recursively filter fields within related items
+    // Note: Access control filtering is now done at database level via buildIncludeWithAccessControl
+    // This only handles field-level access (hiding sensitive fields)
     if (
       config &&
       fieldConfig?.type === "relationship" &&
@@ -217,84 +287,29 @@ export async function filterReadableFields<T extends Record<string, any>>(
       const relatedConfig = getRelatedListConfig(fieldConfig.ref, config);
 
       if (relatedConfig) {
-        // For many relationships (arrays)
+        // For many relationships (arrays) - recursively filter fields in each item
         if (Array.isArray(value)) {
-          const filteredArray = await Promise.all(
-            value.map(async (relatedItem) => {
-              // Check query access for the related list
-              const queryAccess = relatedConfig.listConfig.access?.operation?.query;
-              const accessResult = await checkAccess(queryAccess, {
-                session: args.session,
-                item: relatedItem,
-                context: args.context,
-              });
-
-              // If access denied, filter out this item
-              if (accessResult === false) {
-                return null;
-              }
-
-              // If access returns a filter, check if item matches
-              if (typeof accessResult === "object") {
-                if (!matchesFilter(relatedItem, accessResult)) {
-                  return null;
-                }
-              }
-
-              // Recursively filter readable fields on the related item
-              return await filterReadableFields(
+          filtered[fieldName] = await Promise.all(
+            value.map((relatedItem) =>
+              filterReadableFields(
                 relatedItem,
                 relatedConfig.listConfig.fields,
                 args,
                 config,
                 depth + 1,
-              );
-            }),
+              ),
+            ),
           );
-
-          // Remove null entries (items that were filtered out)
-          filtered[fieldName] = filteredArray.filter((item) => item !== null);
         }
-        // For single relationships (objects)
+        // For single relationships (objects) - recursively filter fields
         else if (typeof value === "object") {
-          // Check query access for the related list
-          const queryAccess = relatedConfig.listConfig.access?.operation?.query;
-          const accessResult = await checkAccess(queryAccess, {
-            session: args.session,
-            item: value,
-            context: args.context,
-          });
-
-          // If access denied, set to null
-          if (accessResult === false) {
-            filtered[fieldName] = null;
-          }
-          // If access returns a filter, check if item matches
-          else if (typeof accessResult === "object") {
-            if (!matchesFilter(value, accessResult)) {
-              filtered[fieldName] = null;
-            } else {
-              // Recursively filter readable fields on the related item
-              filtered[fieldName] = await filterReadableFields(
-                value,
-                relatedConfig.listConfig.fields,
-                args,
-                config,
-                depth + 1,
-              );
-            }
-          }
-          // Access granted (true)
-          else {
-            // Recursively filter readable fields on the related item
-            filtered[fieldName] = await filterReadableFields(
-              value,
-              relatedConfig.listConfig.fields,
-              args,
-              config,
-              depth + 1,
-            );
-          }
+          filtered[fieldName] = await filterReadableFields(
+            value,
+            relatedConfig.listConfig.fields,
+            args,
+            config,
+            depth + 1,
+          );
         }
       } else {
         // Related config not found, include the value as-is
 
@@ -14,4 +14,5 @@ export {
   isBoolean,
   isPrismaFilter,
   getRelatedListConfig,
+  buildIncludeWithAccessControl,
 } from "./engine.js";
@@ -5,6 +5,7 @@ import {
   mergeFilters,
   filterReadableFields,
   filterWritableFields,
+  buildIncludeWithAccessControl,
 } from "../access/index.js";
 import {
   executeResolveInput,
@@ -118,18 +119,31 @@ function createFindUnique<TPrisma extends PrismaClientLike>(
       return null;
     }
 
-    // Execute query
+    // Build include with access control filters
+    const accessControlledInclude = await buildIncludeWithAccessControl(
+      listConfig.fields,
+      {
+        session: context.session,
+        context,
+      },
+      config,
+    );
+
+    // Merge user-provided include with access-controlled include
+    const include = args.include || accessControlledInclude;
+
+    // Execute query with optimized includes
     const model = (prisma as any)[listName.toLowerCase()];
     const item = await model.findFirst({
       where,
-      include: args.include,
+      include,
     });
 
     if (!item) {
       return null;
     }
 
-    // Filter readable fields
+    // Filter readable fields (now only handles field-level access, not array filtering)
     const filtered = await filterReadableFields(
       item,
       listConfig.fields,
@@ -177,16 +191,29 @@ function createFindMany<TPrisma extends PrismaClientLike>(
       return [];
     }
 
-    // Execute query
+    // Build include with access control filters
+    const accessControlledInclude = await buildIncludeWithAccessControl(
+      listConfig.fields,
+      {
+        session: context.session,
+        context,
+      },
+      config,
+    );
+
+    // Merge user-provided include with access-controlled include
+    const include = args?.include || accessControlledInclude;
+
+    // Execute query with optimized includes
     const model = (prisma as any)[listName.toLowerCase()];
     const items = await model.findMany({
       where,
       take: args?.take,
       skip: args?.skip,
-      include: args?.include,
+      include,
     });
 
-    // Filter readable fields for each item
+    // Filter readable fields for each item (now only handles field-level access)
     const filtered = await Promise.all(
       items.map((item: any) =>
         filterReadableFields(
 
@@ -108,7 +108,7 @@ describe('Relationship Access Control', () => {
         expect(result.author?.name).toBe('John Doe')
       })
 
-      it('should filter out single relationship when access denied', async () => {
+      it('should filter out single relationship when access denied (via buildIncludeWithAccessControl)', async () => {
         const config: OpenSaaSConfig = {
           db: {
             provider: 'postgresql',
@@ -137,17 +137,10 @@ describe('Relationship Access Control', () => {
           },
         }
 
-        const post = {
-          id: '1',
-          title: 'Test Post',
-          author: {
-            id: '1',
-            name: 'John Doe',
-          },
-        }
+        // Test that buildIncludeWithAccessControl excludes the denied relationship
+        const { buildIncludeWithAccessControl } = await import('../src/access/engine.js')
 
-        const result = await filterReadableFields(
-          post,
+        const include = await buildIncludeWithAccessControl(
           config.lists.Post.fields,
           {
             session: null,
@@ -156,8 +149,9 @@ describe('Relationship Access Control', () => {
           config,
         )
 
-        expect(result.title).toBe('Test Post')
-        expect(result.author).toBeNull()
+        // When access is denied, the relationship should not be included
+        expect(include).toBeDefined()
+        expect(include?.author).toBeUndefined()
       })
 
       it('should apply field-level access to single relationship', async () => {
@@ -277,7 +271,7 @@ describe('Relationship Access Control', () => {
         expect(result.posts?.[1].title).toBe('Post 2')
       })
 
-      it('should filter items in many relationships based on query access', async () => {
+      it('should filter items in many relationships based on query access (via buildIncludeWithAccessControl)', async () => {
         const config: OpenSaaSConfig = {
           db: {
             provider: 'postgresql',
@@ -309,18 +303,10 @@ describe('Relationship Access Control', () => {
           },
         }
 
-        const user = {
-          id: '1',
-          name: 'John Doe',
-          posts: [
-            { id: '1', title: 'Published Post', status: 'published' },
-            { id: '2', title: 'Draft Post', status: 'draft' },
-            { id: '3', title: 'Another Published', status: 'published' },
-          ],
-        }
+        // Test that buildIncludeWithAccessControl creates the right where clause
+        const { buildIncludeWithAccessControl } = await import('../src/access/engine.js')
 
-        const result = await filterReadableFields(
-          user,
+        const include = await buildIncludeWithAccessControl(
           config.lists.User.fields,
           {
             session: null,
@@ -329,10 +315,10 @@ describe('Relationship Access Control', () => {
           config,
         )
 
-        // Should only include published posts
-        expect(result.posts).toHaveLength(2)
-        expect(result.posts?.[0].title).toBe('Published Post')
-        expect(result.posts?.[1].title).toBe('Another Published')
+        // Should include posts with a where filter
+        expect(include).toBeDefined()
+        expect(include?.posts).toBeDefined()
+        expect(include?.posts.where).toEqual({ status: { equals: 'published' } })
       })
 
       it('should apply field-level access to items in many relationships', async () => {
@@ -448,7 +434,7 @@ describe('Relationship Access Control', () => {
     })
 
     describe('session-based access for relationships', () => {
-      it('should apply session-based access to relationships', async () => {
+      it('should apply session-based access to relationships (via buildIncludeWithAccessControl)', async () => {
         const config: OpenSaaSConfig = {
           db: {
             provider: 'postgresql',
@@ -483,17 +469,10 @@ describe('Relationship Access Control', () => {
           },
         }
 
-        const user = {
-          id: '1',
-          name: 'John Doe',
-          posts: [
-            { id: '1', title: 'My Post', authorId: '1' },
-            { id: '2', title: 'Someone Elses Post', authorId: '2' },
-          ],
-        }
+        // Test that buildIncludeWithAccessControl creates session-based where clause
+        const { buildIncludeWithAccessControl } = await import('../src/access/engine.js')
 
-        const result = await filterReadableFields(
-          user,
+        const include = await buildIncludeWithAccessControl(
           config.lists.User.fields,
           {
             session: { userId: '1' },
@@ -502,9 +481,10 @@ describe('Relationship Access Control', () => {
           config,
         )
 
-        // Should only include user's own posts
-        expect(result.posts).toHaveLength(1)
-        expect(result.posts?.[0].title).toBe('My Post')
+        // Should include posts with session-based where filter
+        expect(include).toBeDefined()
+        expect(include?.posts).toBeDefined()
+        expect(include?.posts.where).toEqual({ authorId: { equals: '1' } })
       })
     })