Summary
When a document is ACP-protected, querying _commits(docID: ...) bypasses ACP filtering — an unauthorized user can read the full commit history of a document they cannot access via the normal collection query path.
Steps to Reproduce
- Create an ACP policy and deploy a schema with
@policy
- Alice creates a document (registered with ACP under her DID)
- Bob (no grant) queries
query { _commits(docID: "<alice_doc>") { cid height } }
- Bob sees all commits — ACP was not checked
Expected
Bob should see 0 commits (same as the User query path which correctly returns empty).
Context
The _commits code path is separate from the normal collection query path. Both need independent ACP filtering. The Rust implementation (defradb.rs) has this fix and the corresponding test (rust_commits_acp_denied) passes.
Summary
When a document is ACP-protected, querying
_commits(docID: ...)bypasses ACP filtering — an unauthorized user can read the full commit history of a document they cannot access via the normal collection query path.Steps to Reproduce
@policyquery { _commits(docID: "<alice_doc>") { cid height } }Expected
Bob should see 0 commits (same as the
Userquery path which correctly returns empty).Context
The
_commitscode path is separate from the normal collection query path. Both need independent ACP filtering. The Rust implementation (defradb.rs) has this fix and the corresponding test (rust_commits_acp_denied) passes.