Evaluate permission filters also on all joined relations

lib/remote/objectqueryhandler.cpp

@@ -191,6 +191,7 @@ bool ObjectQueryHandler::HandleRequest(
 	}
 
 	std::unordered_map<Type*, std::pair<bool, Expression::Ptr>> typePermissions;
+	std::unordered_map<Object*, bool> objectAccessAllowed;
 
 	for (const ConfigObject::Ptr& obj : objs) {
 		DictionaryData result1{
@@ -283,6 +284,28 @@ bool ObjectQueryHandler::HandleRequest(
 				continue;
 			}
 
+			auto relation = objectAccessAllowed.find(joinedObj.get());
+			bool accessAllowed;
+
+			if (relation == objectAccessAllowed.end()) {
+				ScriptFrame permissionFrame(false, new Namespace());
+
+				try {
+					accessAllowed = FilterUtility::EvaluateFilter(permissionFrame, permissionFilter.get(), joinedObj);
+				} catch (const ScriptError& err) {
+					accessAllowed = false;
+				}
+
+				objectAccessAllowed.insert({joinedObj.get(), accessAllowed});
+			} else {
+				accessAllowed = relation->second;
+			}
+
+			if (!accessAllowed) {
+				// Access denied
+				continue;
+			}
+
 			String prefix = field.NavigationName;
 
 			try {