fix: correct the check of read security in new query engine

core/src/main/java/com/orientechnologies/orient/core/sql/executor/FetchFromClassExecutionStep.java

@@ -6,11 +6,14 @@
 import com.orientechnologies.orient.core.db.ODatabaseDocumentInternal;
 import com.orientechnologies.orient.core.exception.OCommandExecutionException;
 import com.orientechnologies.orient.core.metadata.schema.OClass;
+import com.orientechnologies.orient.core.metadata.security.ORole;
+import com.orientechnologies.orient.core.metadata.security.ORule;
 import com.orientechnologies.orient.core.sql.executor.resultset.OLimitedResultSet;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.HashMap;
 import java.util.List;
+import java.util.Locale;
 import java.util.Map;
 import java.util.Optional;
 import java.util.Set;
@@ -134,6 +137,11 @@ private void sortClusers(int[] clusterIds) {
   @Override
   public OResultSet syncPull(OCommandContext ctx, int nRecords) throws OTimeoutException {
     getPrev().ifPresent(x -> x.syncPull(ctx, nRecords));
+    ctx.getDatabase()
+        .checkSecurity(
+            ORule.ResourceGeneric.CLASS,
+            ORole.PERMISSION_READ,
+            className.toLowerCase(Locale.ENGLISH));
     return new OLimitedResultSet(
         new OResultSet() {
 

core/src/main/java/com/orientechnologies/orient/core/sql/executor/FilterByClassStep.java

@@ -5,29 +5,38 @@
 import com.orientechnologies.orient.core.command.OCommandContext;
 import com.orientechnologies.orient.core.exception.OCommandExecutionException;
 import com.orientechnologies.orient.core.metadata.schema.OClass;
+import com.orientechnologies.orient.core.metadata.security.ORole;
+import com.orientechnologies.orient.core.metadata.security.ORule;
 import com.orientechnologies.orient.core.sql.executor.resultset.OFilterResultSet;
 import com.orientechnologies.orient.core.sql.executor.resultset.OLimitedResultSet;
 import com.orientechnologies.orient.core.sql.parser.OIdentifier;
+import java.util.Locale;
 import java.util.Optional;
 
 /** Created by luigidellaquila on 01/03/17. */
 public class FilterByClassStep extends AbstractExecutionStep {
 
   private OIdentifier identifier;
+  private String className;
   private OResultSet prevResult = null;
   private long cost;
 
   public FilterByClassStep(OIdentifier identifier, OCommandContext ctx, boolean profilingEnabled) {
     super(ctx, profilingEnabled);
     this.identifier = identifier;
+    className = identifier.getStringValue();
   }
 
   @Override
   public OResultSet syncPull(OCommandContext ctx, int nRecords) throws OTimeoutException {
     if (!prev.isPresent()) {
       throw new IllegalStateException("filter step requires a previous step");
     }
-
+    ctx.getDatabase()
+        .checkSecurity(
+            ORule.ResourceGeneric.CLASS,
+            ORole.PERMISSION_READ,
+            className.toLowerCase(Locale.ENGLISH));
     return new OLimitedResultSet(
         new OFilterResultSet(() -> fetchNext(ctx, nRecords), this::filterMap), nRecords);
   }
@@ -37,7 +46,7 @@ private OResult filterMap(OResult result) {
     try {
       if (result.isElement()) {
         Optional<OClass> clazz = result.getElement().get().getSchemaType();
-        if (clazz.isPresent() && clazz.get().isSubClassOf(identifier.getStringValue())) {
+        if (clazz.isPresent() && clazz.get().isSubClassOf(className)) {
           return result;
         }
       }

core/src/test/java/com/orientechnologies/orient/core/metadata/security/OClassSecurityTest.java

@@ -5,6 +5,7 @@
 import com.orientechnologies.orient.core.db.ODatabaseSession;
 import com.orientechnologies.orient.core.db.OrientDB;
 import com.orientechnologies.orient.core.db.OrientDBConfig;
+import com.orientechnologies.orient.core.exception.OSecurityException;
 import com.orientechnologies.orient.core.record.OElement;
 import com.orientechnologies.orient.core.sql.executor.OResultSet;
 import org.junit.After;
@@ -58,7 +59,7 @@ public void after() {
     this.db = null;
   }
 
-  @Test
+  @Test(expected = OSecurityException.class)
   public void testReadWithClassPermissions() {
     db.createClass("Person");
     ORole reader = db.getMetadata().getSecurity().getRole("reader");