Skip to content

Fix: Restore EntityName after processing nested filter for CosmosDB #3072

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
TomasDJo wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Fix: Restore EntityName after processing nested filter for CosmosDB #3072

TomasDJo wants to merge 1 commit into from
+1 −0

Conversation

@TomasDJo
Copy link

@TomasDJo TomasDJo commented Jan 20, 2026

Why make this change?

What is this change?

When processing non-list nested object filters for CosmosDB in GQLFilterParser.Parse(), the EntityName property of cosmosQueryStructure is mutated to the nested type name but not restored after the recursive parsing completes.

This causes subsequent nested filters to use the wrong entity name for authorization checks:

  1. First nested filter (e.g., toOwnership) → EntityName set to "ToOwnership"
  2. DatabaseObject.Name and SourceAlias are restored ✓
  3. EntityName is NOT restored ✗ (still "ToOwnership")
  4. Second nested filter (e.g., fromOwnership) → authorization check uses wrong entity → fails

The fix adds a single line to restore EntityName alongside the existing restoration of DatabaseObject.Name and SourceAlias.

How was this tested?

  • Manual testing against real CosmosDB with nested filter queries
  • Integration Tests (CosmosDB emulator not available locally)
  • Unit Tests

Before fix:

{"errors":[{"message":"Access forbidden to a field referenced in the filter.","extensions":{"code":"AuthorizationCheckFailed"}}],"data":null}

After fix:

{"data":{"transactions":{"items":[{"id":"31654581"},{"id":"28285539"}]}}}

Sample Request(s)

# This query failed before the fix
{
  transactions(filter: {
    toOwnership: { toOwnerType: { eq: "Privat" } },
    fromOwnership: { fromOwnerType: { eq: "Privat" } }
  }, first: 2) {
    items { id }
  }
}

@TomasDJo
When processing non-list nested object filters for CosmosDB, the Enti…
b1b3136 
…tyName was mutated but not restored after recursive parsing.

This caused subsequent nested filters to use the wrong entity name for authorization checks, resulting in AuthorizationCheckFailed errors.

The fix adds a single line to restore EntityName alongside the existing restoration of DatabaseObject.Name and SourceAlias.

Closes Azure#3070
Copilot AI review requested due to automatic review settings January 20, 2026 13:37
Copilot AI reviewed Jan 20, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes a bug in CosmosDB nested filter processing where the EntityName property was not being restored after processing non-list nested object filters, causing authorization failures when filtering on multiple different nested objects.

Changes:

  • Added restoration of EntityName property in GQLFilterParser.Parse() method after recursive parsing of non-list nested filters for CosmosDB

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@JerryNixon
Copy link
Contributor

JerryNixon commented Jan 21, 2026

@copilot evaluate the efficacy of this PR to resolve the issue at hand.

@RubenCerna2079 RubenCerna2079 self-assigned this Jan 22, 2026
@RubenCerna2079
Copy link
Contributor

RubenCerna2079 commented Jan 22, 2026

@TomasDJo would you be able to add some unit tests on this PR to verify that the change you made works as intended?
If you have any problems with this let me know and I should be able to help you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@JerryNixon JerryNixon JerryNixon approved these changes

@Aniruddh25 Aniruddh25 Awaiting requested review from Aniruddh25 Aniruddh25 is a code owner

@aaronburtle aaronburtle Awaiting requested review from aaronburtle aaronburtle is a code owner

@anushakolan anushakolan Awaiting requested review from anushakolan anushakolan is a code owner

@RubenCerna2079 RubenCerna2079 Awaiting requested review from RubenCerna2079 RubenCerna2079 is a code owner

@souvikghosh04 souvikghosh04 Awaiting requested review from souvikghosh04 souvikghosh04 is a code owner

@neeraj-sharma2592 neeraj-sharma2592 Awaiting requested review from neeraj-sharma2592 neeraj-sharma2592 is a code owner

@sourabh1007 sourabh1007 Awaiting requested review from sourabh1007 sourabh1007 is a code owner

@vadeveka vadeveka Awaiting requested review from vadeveka vadeveka is a code owner

@Alekhya-Polavarapu Alekhya-Polavarapu Awaiting requested review from Alekhya-Polavarapu Alekhya-Polavarapu is a code owner

@rusamant rusamant Awaiting requested review from rusamant rusamant is a code owner

At least 2 approving reviews are required to merge this pull request.

Assignees

@RubenCerna2079 RubenCerna2079

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Bug]: Filtering on multiple different nested objects returns AuthorizationCheckFailed (CosmosDB, GraphQL)

3 participants

@TomasDJo @JerryNixon @RubenCerna2079