Struct SecureSelect 

pub struct SecureSelect<E: EntityTrait, S> { /* private fields */ }

A type-safe wrapper around SeaORM’s Select that enforces scoping.

This wrapper uses the typestate pattern to ensure that queries cannot be executed without first applying access control via .scope_with().

When scoped (SecureSelect<E, Scoped>), the query carries the AccessScope internally. This allows related-entity queries (find_also_related, find_with_related) to automatically apply the same scope to related entities without requiring the scope to be passed again.

Type Parameters

• E: The SeaORM entity type
• S: The typestate (Unscoped or Scoped)

Example

use modkit_db::secure::{AccessScope, SecureEntityExt};

let scope = AccessScope::for_tenants(vec![tenant_id]);
let users = user::Entity::find()
    .secure()           // Returns SecureSelect<E, Unscoped>
    .scope_with(&scope) // Returns SecureSelect<E, Scoped>
    .all(conn)          // Now can execute
    .await?;

// Related queries auto-apply scope:
let orders_with_items = Order::find()
    .secure()
    .scope_with(&scope)
    .find_with_related(line_item::Entity)  // scope auto-applied to LineItem
    .all(conn)
    .await?;

Implementations

impl<E> SecureSelect<E, Unscoped>

where E: ScopableEntity + EntityTrait, E::Column: ColumnTrait + Copy,

pub fn scope_with(self, scope: &AccessScope) -> SecureSelect<E, Scoped>

Apply access control scope to this query, transitioning to the Scoped state.

The scope is stored internally and will be automatically applied to any related-entity queries (e.g., find_also_related, find_with_related).

This applies the implicit policy:

• Empty scope → deny all
• Tenants only → filter by tenant
• Resources only → filter by resource IDs
• Both → AND them together

pub fn scope_with_arc(self, scope: Arc<AccessScope>) -> SecureSelect<E, Scoped>

Apply access control scope using an Arc<AccessScope>.

This is useful when you already have the scope in an Arc and want to avoid an extra clone.

impl<E> SecureSelect<E, Scoped>

where E: EntityTrait,

pub async fn all( self, runner: &impl DBRunner, ) -> Result<Vec<E::Model>, ScopeError>

Execute the query and return all matching results.

Errors

Returns ScopeError::Db if the database query fails.

pub async fn one( self, runner: &impl DBRunner, ) -> Result<Option<E::Model>, ScopeError>

Execute the query and return at most one result.

Errors

Returns ScopeError::Db if the database query fails.

pub async fn count(self, runner: &impl DBRunner) -> Result<u64, ScopeError>

where E::Model: FromQueryResult + Send + Sync,

Execute the query and return the number of matching results.

Errors

Returns ScopeError::Db if the database query fails.

pub fn and_id(self, id: Uuid) -> Result<Self, ScopeError>

where E: ScopableEntity, E::Column: ColumnTrait + Copy,

Add an additional filter for a specific resource ID.

This is useful when you want to further narrow a scoped query to a single resource.

Example

let user = User::find()
    .secure()
    .scope_with(&scope)?
    .and_id(user_id)
    .one(conn)
    .await?;

Errors

Returns ScopeError::Invalid if the entity doesn’t have a resource column.

impl<E> SecureSelect<E, Scoped>

where E: EntityTrait,

pub fn filter(self, filter: Condition) -> Self

Add additional filters to the scoped query. The scope conditions remain in place.

pub fn order_by<C>(self, col: C, order: Order) -> Self

where C: IntoSimpleExpr,

Add ordering to the scoped query.

pub fn limit(self, limit: u64) -> Self

Add a limit to the scoped query.

pub fn offset(self, offset: u64) -> Self

Add an offset to the scoped query.

pub fn and_scope_for<J>(self, scope: &AccessScope) -> Self

where J: ScopableEntity + EntityTrait, J::Column: ColumnTrait + Copy,

Apply scoping for a joined entity.

This delegates to build_scope_condition::<J>() which handles all property types (tenant, resource, owner, custom PEP properties) with proper OR/AND constraint semantics.

Example

// Select orders, ensuring both Order and Customer match scope
Order::find()
    .secure()
    .scope_with(&scope)?
    .and_scope_for::<customer::Entity>(&scope)
    .all(conn)
    .await?

pub fn scope_via_exists<J>(self, scope: &AccessScope) -> Self

where J: ScopableEntity + EntityTrait, J::Column: ColumnTrait + Copy,

Apply scoping via EXISTS subquery on a related entity.

This is particularly useful when the base entity doesn’t have a tenant column but is related to one that does.

This delegates to build_scope_condition::<J>() for the EXISTS subquery, handling all property types with proper OR/AND constraint semantics.

Note

This is a simplified EXISTS check (no join predicate linking back to the primary entity). For complex join predicates, use into_inner() and build custom EXISTS clauses.

Example

// Find settings that exist in a scoped relationship
GlobalSetting::find()
    .secure()
    .scope_with(&AccessScope::for_resources(vec![]))?
    .scope_via_exists::<TenantSetting>(&scope)
    .all(conn)
    .await?

pub fn into_inner(self) -> Select<E>

Unwrap the inner SeaORM Select for advanced use cases.

Safety

The caller must ensure they don’t remove or bypass the security conditions that were applied during .scope_with().

impl<E> SecureSelect<E, Scoped>

where E: EntityTrait,

pub fn scope(&self) -> &AccessScope

Get a reference to the stored scope.

This is useful when you need to pass the scope to other secure operations.

pub fn scope_arc(&self) -> Arc<AccessScope>

Get the stored scope as an Arc.

This is useful when you need to share the scope without cloning.

pub fn find_also_related<R>(self, r: R) -> SecureSelectTwo<E, R, Scoped>

where R: ScopableEntity + EntityTrait, R::Column: ColumnTrait + Copy, E: Related<R>,

Find related entities using find_also_related with automatic scoping.

This executes a LEFT JOIN to fetch the primary entity along with an optional related entity. The related entity will be None if no matching row exists.

Automatic Scoping

• The primary entity E is already scoped by the parent SecureSelect.
• The related entity R will automatically have tenant filtering applied if it has a tenant column (i.e., R::tenant_col() returns Some).
• For global entities (those with #[secure(no_tenant)]), no additional filtering is applied — the scoping becomes a no-op automatically.

This unified API handles both tenant-scoped and global entities transparently. The caller does not need to know or care whether the related entity is tenant-scoped or global.

Entity Requirements

All entities used with this method must derive Scopable. For global entities, use #[secure(no_tenant, no_resource, no_owner, no_type)].

Example

let scope = AccessScope::for_tenants(vec![tenant_id]);

// Tenant-scoped related entity - scope is auto-applied to Customer
let rows: Vec<(order::Model, Option<customer::Model>)> = Order::find()
    .secure()
    .scope_with(&scope)
    .find_also_related(customer::Entity)
    .all(db)
    .await?;

// Global related entity (no tenant column) - no filtering applied to GlobalConfig
let rows: Vec<(order::Model, Option<global_config::Model>)> = Order::find()
    .secure()
    .scope_with(&scope)
    .find_also_related(global_config::Entity)  // same API, auto no-op!
    .all(db)
    .await?;

pub fn find_with_related<R>(self, r: R) -> SecureSelectTwoMany<E, R, Scoped>

where R: ScopableEntity + EntityTrait, R::Column: ColumnTrait + Copy, E: Related<R>,

Find all related entities using find_with_related with automatic scoping.

This executes a query to fetch the primary entity along with all its related entities (one-to-many relationship).

Automatic Scoping

• The primary entity E is already scoped by the parent SecureSelect.
• The related entity R will automatically have tenant filtering applied if it has a tenant column (i.e., R::tenant_col() returns Some).
• For global entities (those with #[secure(no_tenant)]), no additional filtering is applied — the scoping becomes a no-op automatically.

This unified API handles both tenant-scoped and global entities transparently. The caller does not need to know or care whether the related entity is tenant-scoped or global.

Entity Requirements

All entities used with this method must derive Scopable. For global entities, use #[secure(no_tenant, no_resource, no_owner, no_type)].

Example

let scope = AccessScope::for_tenants(vec![tenant_id]);

// Tenant-scoped related entity - scope is auto-applied to LineItem
let rows: Vec<(order::Model, Vec<line_item::Model>)> = Order::find()
    .secure()
    .scope_with(&scope)
    .find_with_related(line_item::Entity)
    .all(db)
    .await?;

// Global related entity (no tenant column) - no filtering applied to SystemTag
let rows: Vec<(order::Model, Vec<system_tag::Model>)> = Order::find()
    .secure()
    .scope_with(&scope)
    .find_with_related(system_tag::Entity)  // same API, auto no-op!
    .all(db)
    .await?;

Trait Implementations

impl<E: Clone + EntityTrait, S: Clone> Clone for SecureSelect<E, S>

fn clone(&self) -> SecureSelect<E, S>

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl<E: Debug + EntityTrait, S: Debug> Debug for SecureSelect<E, S>

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.