poki
diff --git a/‎README.md‎
Lines changed: 5 additions & 1 deletion b/‎README.md‎
Lines changed: 5 additions & 1 deletion
diff --git a/‎examples/basic_test.go‎
Lines changed: 12 additions & 3 deletions b/‎examples/basic_test.go‎
Lines changed: 12 additions & 3 deletions
diff --git a/‎examples/readme_test.go‎
Lines changed: 4 additions & 1 deletion b/‎examples/readme_test.go‎
Lines changed: 4 additions & 1 deletion
diff --git a/‎filter/converter.go‎
Lines changed: 40 additions & 7 deletions b/‎filter/converter.go‎
Lines changed: 40 additions & 7 deletions
diff --git a/‎filter/converter_test.go‎
Lines changed: 110 additions & 17 deletions b/‎filter/converter_test.go‎
Lines changed: 110 additions & 17 deletions
@@ -32,8 +32,12 @@ import (
 
 func main() {
   // Create a converter with options:
+  // - WithAllowAllColumns: allow all columns to be filtered.
   // - WithArrayDriver: to convert arrays to the correct driver type, required when using lib/pq
-  converter := filter.NewConverter(filter.WithArrayDriver(pq.Array))
+  converter, err := filter.NewConverter(filter.WithAllowAllColumns(), filter.WithArrayDriver(pq.Array))
+	if err != nil {
+		// handle error
+	}
 
   // Convert a filter query to a WHERE clause and values:
   input := []byte(`{"title": "Jurassic Park"}`)
 
@@ -9,7 +9,10 @@ import (
 
 func ExampleNewConverter() {
 	// Remeber to use `filter.WithArrayDriver(pg.Array)` when using github.com/lib/pq
-	converter := filter.NewConverter(filter.WithNestedJSONB("meta", "created_at", "updated_at"))
+	converter, err := filter.NewConverter(filter.WithNestedJSONB("meta", "created_at", "updated_at"))
+	if err != nil {
+		// handle error
+	}
 
 	mongoFilterQuery := `{
 		"name": "John",
@@ -30,7 +33,10 @@ func ExampleNewConverter() {
 }
 
 func ExampleNewConverter_emptyfilter() {
-	converter := filter.NewConverter(filter.WithEmptyCondition("TRUE")) // The default is FALSE if you don't change it.
+	converter, err := filter.NewConverter(filter.WithAllowAllColumns(), filter.WithEmptyCondition("TRUE")) // The default is FALSE if you don't change it.
+	if err != nil {
+		// handle error
+	}
 
 	mongoFilterQuery := `{}`
 	conditions, _, err := converter.Convert([]byte(mongoFilterQuery), 1)
@@ -44,7 +50,10 @@ func ExampleNewConverter_emptyfilter() {
 }
 
 func ExampleNewConverter_nonIsolatedConditions() {
-	converter := filter.NewConverter()
+	converter, err := filter.NewConverter(filter.WithAllowAllColumns())
+	if err != nil {
+		// handle error
+	}
 
 	mongoFilterQuery := `{
 		"$or": [
 
@@ -8,7 +8,10 @@ import (
 
 func ExampleNewConverter_readme() {
 	// Remeber to use `filter.WithArrayDriver(pg.Array)` when using github.com/lib/pq
-	converter := filter.NewConverter(filter.WithNestedJSONB("meta", "created_at", "updated_at"))
+	converter, err := filter.NewConverter(filter.WithNestedJSONB("meta", "created_at", "updated_at"))
+	if err != nil {
+		// handle error
+	}
 
 	mongoFilterQuery := `{
 		"$and": [
 
@@ -30,9 +30,12 @@ const defaultPlaceholderName = "__filter_placeholder"
 
 // Converter converts MongoDB filter queries to SQL conditions and values. Use [filter.NewConverter] to create a new instance.
 type Converter struct {
-	nestedColumn     string
-	nestedExemptions []string
-	arrayDriver      func(a any) interface {
+	allowAllColumns   bool
+	allowedColumns    []string
+	disallowedColumns []string
+	nestedColumn      string
+	nestedExemptions  []string
+	arrayDriver       func(a any) interface {
 		driver.Valuer
 		sql.Scanner
 	}
@@ -45,16 +48,23 @@ type Converter struct {
 // NewConverter creates a new [Converter] with optional nested JSONB field mapping.
 //
 // Note: When using https://github.com/lib/pq, the [filter.WithArrayDriver] should be set to pq.Array.
-func NewConverter(options ...Option) *Converter {
+func NewConverter(options ...Option) (*Converter, error) {
 	converter := &Converter{
 		// don't set defaults, use the once.Do in #Convert()
 	}
+	seenAccessOption := false
 	for _, option := range options {
-		if option != nil {
-			option(converter)
+		if option.f != nil {
+			option.f(converter)
 		}
+		if option.isAccessOption {
+			seenAccessOption = true
+		}
+	}
+	if !seenAccessOption {
+		return nil, ErrNoAccessOption
 	}
-	return converter
+	return converter, nil
 }
 
 // Convert converts a MongoDB filter query into SQL conditions and values.
@@ -165,6 +175,9 @@ func (c *Converter) convertFilter(filter map[string]any, paramIndex int) (string
 			if !isValidPostgresIdentifier(key) {
 				return "", nil, fmt.Errorf("invalid column name: %s", key)
 			}
+			if !c.isColumnAllowed(key) {
+				return "", nil, ColumnNotAllowedError{Column: key}
+			}
 
 			switch v := value.(type) {
 			case map[string]any:
@@ -346,6 +359,26 @@ func (c *Converter) columnName(column string) string {
 	return fmt.Sprintf(`%q->>'%s'`, c.nestedColumn, column)
 }
 
+func (c *Converter) isColumnAllowed(column string) bool {
+	for _, disallowed := range c.disallowedColumns {
+		if disallowed == column {
+			return false
+		}
+	}
+	if c.allowAllColumns {
+		return true
+	}
+	if c.nestedColumn != "" {
+		return true
+	}
+	for _, allowed := range c.allowedColumns {
+		if allowed == column {
+			return true
+		}
+	}
+	return false
+}
+
 func (c *Converter) isNestedColumn(column string) bool {
 	if c.nestedColumn == "" {
 		return false
 
@@ -11,7 +11,10 @@ import (
 
 func ExampleNewConverter() {
 	// Remeber to use `filter.WithArrayDriver(pg.Array)` when using github.com/lib/pq
-	converter := filter.NewConverter(filter.WithNestedJSONB("meta", "created_at", "updated_at"))
+	converter, err := filter.NewConverter(filter.WithNestedJSONB("meta", "created_at", "updated_at"))
+	if err != nil {
+		// handle error
+	}
 
 	mongoFilterQuery := `{
 		"name": "John",
@@ -33,7 +36,7 @@ func ExampleNewConverter() {
 func TestConverter_Convert(t *testing.T) {
 	tests := []struct {
 		name       string
-		option     filter.Option
+		option     []filter.Option
 		input      string
 		conditions string
 		values     []any
@@ -73,15 +76,15 @@ func TestConverter_Convert(t *testing.T) {
 		},
 		{
 			"nested jsonb single value",
-			filter.WithNestedJSONB("meta"),
+			[]filter.Option{filter.WithNestedJSONB("meta")},
 			`{"name": "John"}`,
 			`("meta"->>'name' = $1)`,
 			[]any{"John"},
 			nil,
 		},
 		{
 			"nested jsonb multi value",
-			filter.WithNestedJSONB("meta", "created_at", "updated_at"),
+			[]filter.Option{filter.WithNestedJSONB("meta", "created_at", "updated_at")},
 			`{"created_at": {"$gte": "2020-01-01T00:00:00Z"}, "name": "John", "role": "admin"}`,
 			`(("created_at" >= $1) AND ("meta"->>'name' = $2) AND ("meta"->>'role' = $3))`,
 			[]any{"2020-01-01T00:00:00Z", "John", "admin"},
@@ -296,7 +299,7 @@ func TestConverter_Convert(t *testing.T) {
 		},
 		{
 			"null jsonb column",
-			filter.WithNestedJSONB("meta"),
+			[]filter.Option{filter.WithNestedJSONB("meta")},
 			`{"name": null}`,
 			`(jsonb_path_match(meta, 'exists($.name)') AND "meta"->>'name' IS NULL)`,
 			nil,
@@ -312,15 +315,15 @@ func TestConverter_Convert(t *testing.T) {
 		},
 		{
 			"not $exists jsonb column",
-			filter.WithNestedJSONB("meta"),
+			[]filter.Option{filter.WithNestedJSONB("meta")},
 			`{"name": {"$exists": false}}`,
 			`(NOT jsonb_path_match(meta, 'exists($.name)'))`,
 			nil,
 			nil,
 		},
 		{
 			"$exists jsonb column",
-			filter.WithNestedJSONB("meta"),
+			[]filter.Option{filter.WithNestedJSONB("meta")},
 			`{"name": {"$exists": true}}`,
 			`(jsonb_path_match(meta, 'exists($.name)'))`,
 			nil,
@@ -344,31 +347,31 @@ func TestConverter_Convert(t *testing.T) {
 		},
 		{
 			"$elemMatch on jsonb column",
-			filter.WithNestedJSONB("meta"),
+			[]filter.Option{filter.WithNestedJSONB("meta")},
 			`{"name": {"$elemMatch": {"$eq": "John"}}}`,
 			`EXISTS (SELECT 1 FROM jsonb_array_elements("meta"->'name') AS __filter_placeholder WHERE ("__filter_placeholder"::text = $1))`,
 			[]any{"John"},
 			nil,
 		},
 		{
 			"$elemMatch with $gt",
-			filter.WithPlaceholderName("__placeholder"),
+			[]filter.Option{filter.WithAllowAllColumns(), filter.WithPlaceholderName("__placeholder")},
 			`{"age": {"$elemMatch": {"$gt": 18}}}`,
 			`EXISTS (SELECT 1 FROM unnest("age") AS __placeholder WHERE ("__placeholder"::text > $1))`,
 			[]any{float64(18)},
 			nil,
 		},
 		{
 			"numeric comparison bug with jsonb column",
-			filter.WithNestedJSONB("meta"),
+			[]filter.Option{filter.WithNestedJSONB("meta")},
 			`{"foo": {"$gt": 0}}`,
 			`(("meta"->>'foo')::numeric > $1)`,
 			[]any{float64(0)},
 			nil,
 		},
 		{
 			"numeric comparison against null with jsonb column",
-			filter.WithNestedJSONB("meta"),
+			[]filter.Option{filter.WithNestedJSONB("meta")},
 			`{"foo": {"$gt": null}}`,
 			`("meta"->>'foo' > $1)`,
 			[]any{nil},
@@ -392,23 +395,23 @@ func TestConverter_Convert(t *testing.T) {
 		},
 		{
 			"compare two jsonb fields",
-			filter.WithNestedJSONB("meta"),
+			[]filter.Option{filter.WithNestedJSONB("meta")},
 			`{"foo": {"$eq": {"$field": "bar"}}}`,
 			`("meta"->>'foo' = "meta"->>'bar')`,
 			nil,
 			nil,
 		},
 		{
 			"compare two jsonb fields with numeric comparison",
-			filter.WithNestedJSONB("meta"),
+			[]filter.Option{filter.WithNestedJSONB("meta")},
 			`{"foo": {"$lt": {"$field": "bar"}}}`,
 			`(("meta"->>'foo')::numeric < ("meta"->>'bar')::numeric)`,
 			nil,
 			nil,
 		},
 		{
 			"compare two fields with simple expression",
-			filter.WithNestedJSONB("meta", "foo"),
+			[]filter.Option{filter.WithNestedJSONB("meta", "foo")},
 			`{"foo": {"$field": "bar"}}`,
 			`("foo" = "meta"->>'bar')`,
 			nil,
@@ -426,7 +429,13 @@ func TestConverter_Convert(t *testing.T) {
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			c := filter.NewConverter(tt.option)
+			if tt.option == nil {
+				tt.option = []filter.Option{filter.WithAllowAllColumns()}
+			}
+			c, err := filter.NewConverter(tt.option...)
+			if err != nil {
+				t.Fatal(err)
+			}
 			conditions, values, err := c.Convert([]byte(tt.input), 1)
 			if err != nil && (tt.err == nil || err.Error() != tt.err.Error()) {
 				t.Errorf("Converter.Convert() error = %v, wantErr %v", err, tt.err)
@@ -447,7 +456,7 @@ func TestConverter_Convert(t *testing.T) {
 }
 
 func TestConverter_Convert_startAtParameterIndex(t *testing.T) {
-	c := filter.NewConverter()
+	c, _ := filter.NewConverter(filter.WithAllowAllColumns())
 	conditions, values, err := c.Convert([]byte(`{"name": "John", "password": "secret"}`), 10)
 	if err != nil {
 		t.Fatal(err)
@@ -476,7 +485,7 @@ func TestConverter_Convert_startAtParameterIndex(t *testing.T) {
 }
 
 func TestConverter_WithEmptyCondition(t *testing.T) {
-	c := filter.NewConverter(filter.WithEmptyCondition("TRUE"))
+	c, _ := filter.NewConverter(filter.WithAllowAllColumns(), filter.WithEmptyCondition("TRUE"))
 	conditions, values, err := c.Convert([]byte(`{}`), 1)
 	if err != nil {
 		t.Fatal(err)
@@ -490,6 +499,8 @@ func TestConverter_WithEmptyCondition(t *testing.T) {
 }
 
 func TestConverter_NoConstructor(t *testing.T) {
+	t.Skip() // this is currently not supported since we introduced the access control options
+
 	c := &filter.Converter{}
 	conditions, values, err := c.Convert([]byte(`{"name": "John"}`), 1)
 	if err != nil {
@@ -524,3 +535,85 @@ func TestConverter_CopyReference(t *testing.T) {
 		t.Errorf("Converter.Convert() conditions = %v, want %v", conditions, want)
 	}
 }
+
+func TestConverter_RequireAccessControl(t *testing.T) {
+	if _, err := filter.NewConverter(); err != filter.ErrNoAccessOption {
+		t.Errorf("NewConverter() error = %v, want %v", err, filter.ErrNoAccessOption)
+	}
+	if _, err := filter.NewConverter(filter.WithPlaceholderName("___test___")); err != filter.ErrNoAccessOption {
+		t.Errorf("NewConverter() error = %v, want %v", err, filter.ErrNoAccessOption)
+	}
+	if _, err := filter.NewConverter(filter.WithAllowAllColumns()); err != nil {
+		t.Errorf("NewConverter() error = %v, want no error", err)
+	}
+	if _, err := filter.NewConverter(filter.WithAllowColumns("name", "map")); err != nil {
+		t.Errorf("NewConverter() error = %v, want no error", err)
+	}
+	if _, err := filter.NewConverter(filter.WithAllowColumns()); err != nil {
+		t.Errorf("NewConverter() error = %v, want no error", err)
+	}
+	if _, err := filter.NewConverter(filter.WithNestedJSONB("meta", "created_at", "updated_at")); err != nil {
+		t.Errorf("NewConverter() error = %v, want no error", err)
+	}
+	if _, err := filter.NewConverter(filter.WithDisallowColumns("password")); err != nil {
+		t.Errorf("NewConverter() error = %v, want no error", err)
+	}
+}
+
+func TestConverter_AccessControl(t *testing.T) {
+	f := func(in string, wantErr error, options ...filter.Option) func(t *testing.T) {
+		t.Helper()
+		return func(t *testing.T) {
+			t.Helper()
+			c := &filter.Converter{}
+			if options != nil {
+				c, _ = filter.NewConverter(options...)
+				// requirement of access control is tested above.
+			}
+			q, _, err := c.Convert([]byte(in), 1)
+			t.Log(in, "->", q, err)
+			if wantErr == nil && err != nil {
+				t.Fatalf("no error returned, expected error: %v", err)
+			} else if wantErr != nil && err == nil {
+				t.Fatalf("expected error: %v", wantErr)
+			} else if wantErr != nil && wantErr.Error() != err.Error() {
+				t.Fatalf("error mismatch: %v != %v", err, wantErr)
+			}
+		}
+	}
+
+	no := func(c string) error { return filter.ColumnNotAllowedError{Column: c} }
+
+	t.Run("allow all, single root field",
+		f(`{"name":"John"}`, nil, filter.WithAllowAllColumns()))
+	t.Run("allow name, single allowed root field",
+		f(`{"name":"John"}`, nil, filter.WithAllowColumns("name")))
+	t.Run("allow name, single disallowed root field",
+		f(`{"password":"hacks"}`, no("password"), filter.WithAllowColumns("name")))
+	t.Run("allowed meta, single allowed nested field",
+		f(`{"map":"de_dust"}`, nil, filter.WithNestedJSONB("meta", "created_at")))
+	t.Run("allowed nested excemption, single allowed field",
+		f(`{"created_at":"de_dust"}`, nil, filter.WithNestedJSONB("meta", "created_at")))
+	t.Run("multi allow, single allowed root field",
+		f(`{"name":"John"}`, nil, filter.WithAllowColumns("name", "email")))
+	t.Run("multi allow, two allowed root fields",
+		f(`{"name":"John", "email":"test@example.org"}`, nil, filter.WithAllowColumns("name", "email")))
+	t.Run("multi allow, mixes access",
+		f(`{"name":"John", "password":"hacks"}`, no("password"), filter.WithAllowColumns("name", "email")))
+	t.Run("multi allow, mixes access",
+		f(`{"name":"John", "password":"hacks"}`, no("password"), filter.WithAllowColumns("name", "email")))
+	t.Run("allowed basic $and",
+		f(`{"$and": [{"name": "John"}, {"version": 3}]}`, nil, filter.WithAllowColumns("name", "version")))
+	t.Run("disallowed basic $and",
+		f(`{"$and": [{"name": "John"}, {"version": 3}]}`, no("version"), filter.WithAllowColumns("name")))
+	t.Run("allow all but one",
+		f(`{"name": "John"}`, nil, filter.WithAllowAllColumns(), filter.WithDisallowColumns("password")))
+	t.Run("allow all but one, failing",
+		f(`{"$and": [{"name": "John"}, {"password": "hacks"}]}`, no("password"), filter.WithAllowAllColumns(), filter.WithDisallowColumns("password")))
+	t.Run("nested but disallow password, allow exception",
+		f(`{"created_at": "1"}`, nil, filter.WithNestedJSONB("meta", "created_at"), filter.WithDisallowColumns("password")))
+	t.Run("nested but disallow password, allow nested",
+		f(`{"map": "de_dust"}`, nil, filter.WithNestedJSONB("meta", "created_at"), filter.WithDisallowColumns("password")))
+	t.Run("nested but disallow password, disallow",
+		f(`{"password": "hacks"}`, no("password"), filter.WithNestedJSONB("meta", "created_at"), filter.WithDisallowColumns("password")))
+}