From 5485346b5e2295e773d90b587611d38f5086292d Mon Sep 17 00:00:00 2001
From: Jake Barnby <jakeb994@gmail.com>
Date: Tue, 11 Apr 2023 15:40:14 +1200
Subject: [PATCH] Fail validation on nested attribute query

---
 app/controllers/api/databases.php                       | 7 -------
 src/Appwrite/Utopia/Database/Validator/Query/Filter.php | 8 ++++++++
 tests/e2e/Services/GraphQL/DatabaseServerTest.php       | 2 --
 3 files changed, 8 insertions(+), 9 deletions(-)

diff --git a/app/controllers/api/databases.php b/app/controllers/api/databases.php
index 084be80b9c..28f4e046b2 100644
--- a/app/controllers/api/databases.php
+++ b/app/controllers/api/databases.php
@@ -2899,13 +2899,6 @@ App::get('/v1/databases/:databaseId/collections/:collectionId/documents')
 
         $filterQueries = Query::groupByType($queries)['filters'];
 
-        // TODO: Remove this when we have a better way to handle nested attribute queries
-        foreach ($filterQueries as $key => $query) {
-            if (\str_contains($query->getAttribute(), '.')) {
-                unset($filterQueries[$key]);
-            }
-        }
-
         $documents = Authorization::skip(fn () => $dbForProject->find('database_' . $database->getInternalId() . '_collection_' . $collection->getInternalId(), $queries));
 
         $documentSecurity = $collection->getAttribute('documentSecurity', false);
diff --git a/src/Appwrite/Utopia/Database/Validator/Query/Filter.php b/src/Appwrite/Utopia/Database/Validator/Query/Filter.php
index e2f52f206a..08847133de 100644
--- a/src/Appwrite/Utopia/Database/Validator/Query/Filter.php
+++ b/src/Appwrite/Utopia/Database/Validator/Query/Filter.php
@@ -18,6 +18,8 @@ class Filter extends Base
      */
     protected $schema = [];
 
+    private int $maxValuesCount;
+
     /**
      * Query constructor
      *
@@ -38,6 +40,12 @@ class Filter extends Base
             // For relationships, just validate the top level.
             // Utopia will validate each nested level during the recursive calls.
             $attribute = \explode('.', $attribute)[0];
+
+            // TODO: Remove this when nested queries are supported
+            if (isset($this->schema[$attribute])) {
+                $this->message = 'Cannot query nested attribute on: ' . $attribute;
+                return false;
+            }
         }
 
         // Search for attribute in schema
diff --git a/tests/e2e/Services/GraphQL/DatabaseServerTest.php b/tests/e2e/Services/GraphQL/DatabaseServerTest.php
index 5b329d5f2b..87006a1bea 100644
--- a/tests/e2e/Services/GraphQL/DatabaseServerTest.php
+++ b/tests/e2e/Services/GraphQL/DatabaseServerTest.php
@@ -1040,8 +1040,6 @@ class DatabaseServerTest extends Scope
             'x-appwrite-project' => $projectId,
         ], $this->getHeaders()), $gqlPayload);
 
-        \var_dump($attributes['body']);
-
         $this->assertArrayNotHasKey('errors', $attributes['body']);
         $this->assertIsArray($attributes['body']['data']);
         $this->assertIsArray($attributes['body']['data']['databasesListAttributes']);