@flowerforce/flowerbase 1.8.4-beta.3 → 1.8.4-beta.4

package/dist/services/mongodb-atlas/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/services/mongodb-atlas/index.ts"],"names":[],"mappings":"AAKA,OAAO,EAIL,QAAQ,EAQT,MAAM,SAAS,CAAA;AAOhB,OAAO,EAGL,oBAAoB,EAErB,MAAM,SAAS,CAAA;AA6JhB,eAAO,MAAM,kBAAkB,GAAI,OAAO,OAAO,KAAG,OA0BnD,CAAA;AA8BD,eAAO,MAAM,2BAA2B,GAAI,UAAU,QAAQ,EAAE,YAK5D,CAAA;AAwzCJ,QAAA,MAAM,YAAY,EAAE,oBAwBlB,CAAA;AAEF,eAAe,YAAY,CAAA"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/services/mongodb-atlas/index.ts"],"names":[],"mappings":"AAKA,OAAO,EAIL,QAAQ,EAQT,MAAM,SAAS,CAAA;AAOhB,OAAO,EAGL,oBAAoB,EAErB,MAAM,SAAS,CAAA;AA8JhB,eAAO,MAAM,kBAAkB,GAAI,OAAO,OAAO,KAAG,OA0BnD,CAAA;AA8BD,eAAO,MAAM,2BAA2B,GAAI,UAAU,QAAQ,EAAE,YAK5D,CAAA;AA80CJ,QAAA,MAAM,YAAY,EAAE,oBAwBlB,CAAA;AAEF,eAAe,YAAY,CAAA"}

package/dist/services/mongodb-atlas/index.js

@@ -459,13 +459,17 @@ const getOperators = (mongo, { rules, dbName, collName, user, run_as_system, mon
             var _a;
             try {
                 const { projection, options: normalizedOptions } = resolveFindArgs(projectionOrOptions, options);
-                const resolvedOptions = projection || normalizedOptions
-                    ? Object.assign(Object.assign({}, (normalizedOptions !== null && normalizedOptions !== void 0 ? normalizedOptions : {})), (projection ? { projection } : {})) : undefined;
                 const resolvedQuery = query !== null && query !== void 0 ? query : {};
                 if (!run_as_system) {
                     (0, utils_3.checkDenyOperation)(normalizedRules, collection.collectionName, model_1.CRUD_OPERATIONS.READ);
                     // Apply access control filters to the query
                     const formattedQuery = (0, utils_3.getFormattedQuery)(filters, resolvedQuery, user);
+                    // Rules-level projection has priority over client-provided projection.
+                    // The merged projection is passed natively to MongoDB.
+                    const rulesProjection = (0, utils_3.getFormattedProjection)(filters, user);
+                    const finalProjection = (0, utils_3.mergeProjections)(projection, rulesProjection);
+                    const resolvedOptions = finalProjection || normalizedOptions
+                        ? Object.assign(Object.assign({}, (normalizedOptions !== null && normalizedOptions !== void 0 ? normalizedOptions : {})), (finalProjection ? { projection: finalProjection } : {})) : undefined;
                     logDebug('update formattedQuery', {
                         collection: collName,
                         query,
@@ -509,8 +513,10 @@ const getOperators = (mongo, { rules, dbName, collName, user, run_as_system, mon
                     emitMongoEvent('findOne');
                     return Promise.resolve(response);
                 }
-                // System mode: no validation applied
-                const response = yield collection.findOne(resolvedQuery, resolvedOptions);
+                // System mode: no validation applied, only client-provided projection/options.
+                const systemOptions = projection || normalizedOptions
+                    ? Object.assign(Object.assign({}, (normalizedOptions !== null && normalizedOptions !== void 0 ? normalizedOptions : {})), (projection ? { projection } : {})) : undefined;
+                const response = yield collection.findOne(resolvedQuery, systemOptions);
                 emitMongoEvent('findOne');
                 return response;
             }
@@ -825,13 +831,17 @@ const getOperators = (mongo, { rules, dbName, collName, user, run_as_system, mon
         find: (query = {}, projectionOrOptions, options) => {
             try {
                 const { projection, options: normalizedOptions } = resolveFindArgs(projectionOrOptions, options);
-                const resolvedOptions = projection || normalizedOptions
-                    ? Object.assign(Object.assign({}, (normalizedOptions !== null && normalizedOptions !== void 0 ? normalizedOptions : {})), (projection ? { projection } : {})) : undefined;
                 if (!run_as_system) {
                     (0, utils_3.checkDenyOperation)(normalizedRules, collection.collectionName, model_1.CRUD_OPERATIONS.READ);
                     // Pre-query filtering based on access control rules
                     const formattedQuery = (0, utils_3.getFormattedQuery)(filters, query, user);
                     const currentQuery = formattedQuery.length ? { $and: formattedQuery } : {};
+                    // Rules-level projection has priority over client-provided projection.
+                    // The merged projection is passed natively to MongoDB.
+                    const rulesProjection = (0, utils_3.getFormattedProjection)(filters, user);
+                    const finalProjection = (0, utils_3.mergeProjections)(projection, rulesProjection);
+                    const resolvedOptions = finalProjection || normalizedOptions
+                        ? Object.assign(Object.assign({}, (normalizedOptions !== null && normalizedOptions !== void 0 ? normalizedOptions : {})), (finalProjection ? { projection: finalProjection } : {})) : undefined;
                     // aggiunto filter per evitare questo errore: $and argument's entries must be objects
                     const cursor = collection.find(currentQuery, resolvedOptions);
                     const originalToArray = cursor.toArray.bind(cursor);
@@ -866,8 +876,10 @@ const getOperators = (mongo, { rules, dbName, collName, user, run_as_system, mon
                     emitMongoEvent('find');
                     return cursor;
                 }
-                // System mode: return original unfiltered cursor
-                const cursor = collection.find(query, resolvedOptions);
+                // System mode: return original unfiltered cursor (only client projection/options).
+                const systemOptions = projection || normalizedOptions
+                    ? Object.assign(Object.assign({}, (normalizedOptions !== null && normalizedOptions !== void 0 ? normalizedOptions : {})), (projection ? { projection } : {})) : undefined;
+                const cursor = collection.find(query, systemOptions);
                 emitMongoEvent('find');
                 return cursor;
             }
@@ -1041,7 +1053,7 @@ const getOperators = (mongo, { rules, dbName, collName, user, run_as_system, mon
                     formattedQuery,
                     pipeline
                 });
-                const projection = (0, utils_3.getFormattedProjection)(filters);
+                const projection = (0, utils_3.getFormattedProjection)(filters, user);
                 const hiddenFields = (0, utils_3.getHiddenFieldsFromRulesConfig)(rulesConfig);
                 const sanitizedPipeline = (0, utils_3.applyAccessControlToPipeline)(pipeline, normalizedRules, user, collName, { isClientPipeline: true });
                 logDebug('aggregate sanitizedPipeline', {

package/dist/services/mongodb-atlas/utils.d.ts

@@ -7,6 +7,21 @@ import { CRUD_OPERATIONS, GetValidRuleParams } from './model';
 export declare const getValidRule: <T extends Role | Filter>({ filters, user, record }: GetValidRuleParams<T>) => T[];
 export declare const getFormattedQuery: (filters?: Filter[], query?: Parameters<Collection<Document>["findOne"]>[0], user?: User) => FilterMongoDB<Document>[];
 export declare const getFormattedProjection: (filters?: Filter[], user?: User) => Projection | null;
+/**
+ * Merges a client-provided projection with the one computed from rules filters.
+ *
+ * Rules have higher priority over the client:
+ * - If rules exclude a top-level field (e.g. `{ instock: 0 }`), every client
+ *   reference to that field — including dotted sub-paths such as
+ *   `"instock.qty": 1` — is dropped from the final projection.
+ * - If rules include a field (value `1`), it is always part of the final
+ *   projection and overrides any conflicting client value.
+ * - The returned projection is always a valid MongoDB projection (no mixing of
+ *   inclusion and exclusion on non-`_id` keys), so it can be passed as-is to
+ *   native MongoDB methods.
+ * - Returns `undefined` when neither side provided a meaningful projection.
+ */
+export declare const mergeProjections: (clientProjection: Projection | Document | undefined, rulesProjection: Projection | null | undefined) => Projection | Document | undefined;
 export declare const applyAccessControlToPipeline: (pipeline: AggregationPipeline, rules: Record<string, {
     filters?: Filter[];
     roles?: Role[];

package/dist/services/mongodb-atlas/utils.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"utils.d.ts","sourceRoot":"","sources":["../../../src/services/mongodb-atlas/utils.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAA;AAElC,OAAO,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,IAAI,aAAa,EAAE,MAAM,SAAS,CAAA;AACvE,OAAO,EAAE,IAAI,EAAE,MAAM,iBAAiB,CAAA;AACtC,OAAO,EACL,mBAAmB,EAEnB,MAAM,EAEN,UAAU,EACV,KAAK,EAGN,MAAM,gCAAgC,CAAA;AACvC,OAAO,EAAE,IAAI,EAAE,MAAM,6BAA6B,CAAA;AAGlD,OAAO,EAAE,eAAe,EAAE,kBAAkB,EAAE,MAAM,SAAS,CAAA;AAE7D,eAAO,MAAM,YAAY,GAAI,CAAC,SAAS,IAAI,GAAG,MAAM,EAAE,2BAInD,kBAAkB,CAAC,CAAC,CAAC,QA8BvB,CAAA;AAED,eAAO,MAAM,iBAAiB,GAC5B,UAAS,MAAM,EAAO,EACtB,QAAQ,UAAU,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,EACtD,OAAO,IAAI,8BAcZ,CAAA;AAED,eAAO,MAAM,sBAAsB,GACjC,UAAS,MAAM,EAAO,EACtB,OAAO,IAAI,KACV,UAAU,GAAG,IAaf,CAAA;AAED,eAAO,MAAM,4BAA4B,GACvC,UAAU,mBAAmB,EAC7B,OAAO,MAAM,CACX,MAAM,EACN;IACE,OAAO,CAAC,EAAE,MAAM,EAAE,CAAA;IAClB,KAAK,CAAC,EAAE,IAAI,EAAE,CAAA;CACf,CACF,EACD,MAAM,IAAI,EACV,gBAAgB,MAAM,EACtB,UAAU;IACR,gBAAgB,CAAC,EAAE,OAAO,CAAA;CAC3B,KACA,mBA6GF,CAAA;AAED,eAAO,MAAM,kBAAkB,GAC7B,OAAO,KAAK,EACZ,gBAAgB,MAAM,EACtB,WAAW,eAAe,SAM3B,CAAA;AAED,wBAAgB,cAAc,CAAC,KAAK,EAAE,aAAa,CAAC,QAAQ,CAAC,EAAE;;;;;;;;iBA0I8iqS,CAAC;sBAAgC,CAAC;2BAAsC,CAAC;;;;IAlIrrqS;AAED,eAAO,MAAM,0BAA0B,GAAI,UAAU,QAAQ,EAAE,aAgC9D,CAAA;AAYD,wBAAgB,0BAA0B,CAAC,QAAQ,EAAE,mBAAmB,QA+BvE;AAED,wBAAgB,8BAA8B,CAAC,WAAW,CAAC,EAAE;IAAE,KAAK,CAAC,EAAE,IAAI,EAAE,CAAA;CAAE,YAK9E;AAwCD,wBAAgB,iBAAiB,CAAC,QAAQ,EAAE,mBAAmB,EAAE,YAAY,EAAE,MAAM,EAAE,uBAKtF"}
+{"version":3,"file":"utils.d.ts","sourceRoot":"","sources":["../../../src/services/mongodb-atlas/utils.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAA;AAElC,OAAO,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,IAAI,aAAa,EAAE,MAAM,SAAS,CAAA;AACvE,OAAO,EAAE,IAAI,EAAE,MAAM,iBAAiB,CAAA;AACtC,OAAO,EACL,mBAAmB,EAEnB,MAAM,EAEN,UAAU,EACV,KAAK,EAGN,MAAM,gCAAgC,CAAA;AACvC,OAAO,EAAE,IAAI,EAAE,MAAM,6BAA6B,CAAA;AAGlD,OAAO,EAAE,eAAe,EAAE,kBAAkB,EAAE,MAAM,SAAS,CAAA;AAE7D,eAAO,MAAM,YAAY,GAAI,CAAC,SAAS,IAAI,GAAG,MAAM,EAAE,2BAInD,kBAAkB,CAAC,CAAC,CAAC,QA8BvB,CAAA;AAED,eAAO,MAAM,iBAAiB,GAC5B,UAAS,MAAM,EAAO,EACtB,QAAQ,UAAU,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,EACtD,OAAO,IAAI,8BAcZ,CAAA;AAED,eAAO,MAAM,sBAAsB,GACjC,UAAS,MAAM,EAAO,EACtB,OAAO,IAAI,KACV,UAAU,GAAG,IAMf,CAAA;AAED;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,gBAAgB,GAC3B,kBAAkB,UAAU,GAAG,QAAQ,GAAG,SAAS,EACnD,iBAAiB,UAAU,GAAG,IAAI,GAAG,SAAS,KAC7C,UAAU,GAAG,QAAQ,GAAG,SAyD1B,CAAA;AAED,eAAO,MAAM,4BAA4B,GACvC,UAAU,mBAAmB,EAC7B,OAAO,MAAM,CACX,MAAM,EACN;IACE,OAAO,CAAC,EAAE,MAAM,EAAE,CAAA;IAClB,KAAK,CAAC,EAAE,IAAI,EAAE,CAAA;CACf,CACF,EACD,MAAM,IAAI,EACV,gBAAgB,MAAM,EACtB,UAAU;IACR,gBAAgB,CAAC,EAAE,OAAO,CAAA;CAC3B,KACA,mBA6GF,CAAA;AAED,eAAO,MAAM,kBAAkB,GAC7B,OAAO,KAAK,EACZ,gBAAgB,MAAM,EACtB,WAAW,eAAe,SAM3B,CAAA;AAED,wBAAgB,cAAc,CAAC,KAAK,EAAE,aAAa,CAAC,QAAQ,CAAC,EAAE;;;;;;;;iBA0I2jkS,CAAC;sBAAgC,CAAC;2BAAsC,CAAC;;;;IAlIlskS;AAED,eAAO,MAAM,0BAA0B,GAAI,UAAU,QAAQ,EAAE,aAgC9D,CAAA;AAYD,wBAAgB,0BAA0B,CAAC,QAAQ,EAAE,mBAAmB,QA+BvE;AAED,wBAAgB,8BAA8B,CAAC,WAAW,CAAC,EAAE;IAAE,KAAK,CAAC,EAAE,IAAI,EAAE,CAAA;CAAE,YAK9E;AAwCD,wBAAgB,iBAAiB,CAAC,QAAQ,EAAE,mBAAmB,EAAE,YAAY,EAAE,MAAM,EAAE,uBAKtF"}

package/dist/services/mongodb-atlas/utils.js

@@ -3,7 +3,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.getCollectionsFromPipeline = exports.checkDenyOperation = exports.applyAccessControlToPipeline = exports.getFormattedProjection = exports.getFormattedQuery = exports.getValidRule = void 0;
+exports.getCollectionsFromPipeline = exports.checkDenyOperation = exports.applyAccessControlToPipeline = exports.mergeProjections = exports.getFormattedProjection = exports.getFormattedQuery = exports.getValidRule = void 0;
 exports.normalizeQuery = normalizeQuery;
 exports.ensureClientPipelineStages = ensureClientPipelineStages;
 exports.getHiddenFieldsFromRulesConfig = getHiddenFieldsFromRulesConfig;
@@ -48,21 +48,83 @@ const getFormattedQuery = (filters = [], query, user) => {
 };
 exports.getFormattedQuery = getFormattedQuery;
 const getFormattedProjection = (filters = [], user) => {
-    const projections = filters
-        .filter((filter) => {
-        if (filter.projection) {
-            const preFilter = (0, exports.getValidRule)({ filters, user });
-            const isValidPreFilter = !!(preFilter === null || preFilter === void 0 ? void 0 : preFilter.length);
-            return isValidPreFilter;
-        }
-        return false;
-    })
+    const projections = (0, exports.getValidRule)({ filters, user })
+        .filter((f) => !!f.projection)
         .map((f) => f.projection);
     if (!projections.length)
         return null;
     return Object.assign({}, ...projections);
 };
 exports.getFormattedProjection = getFormattedProjection;
+/**
+ * Merges a client-provided projection with the one computed from rules filters.
+ *
+ * Rules have higher priority over the client:
+ * - If rules exclude a top-level field (e.g. `{ instock: 0 }`), every client
+ *   reference to that field — including dotted sub-paths such as
+ *   `"instock.qty": 1` — is dropped from the final projection.
+ * - If rules include a field (value `1`), it is always part of the final
+ *   projection and overrides any conflicting client value.
+ * - The returned projection is always a valid MongoDB projection (no mixing of
+ *   inclusion and exclusion on non-`_id` keys), so it can be passed as-is to
+ *   native MongoDB methods.
+ * - Returns `undefined` when neither side provided a meaningful projection.
+ */
+const mergeProjections = (clientProjection, rulesProjection) => {
+    const hasClient = !!clientProjection && Object.keys(clientProjection).length > 0;
+    const hasRules = !!rulesProjection && Object.keys(rulesProjection).length > 0;
+    if (!hasClient && !hasRules)
+        return undefined;
+    const client = (hasClient ? clientProjection : {});
+    const rules = (hasRules ? rulesProjection : {});
+    const getTopLevel = (key) => key.split('.')[0];
+    const rulesEntries = Object.entries(rules);
+    const rulesIncludeKeys = rulesEntries
+        .filter(([, value]) => value === 1)
+        .map(([key]) => key);
+    const rulesExcludeKeys = rulesEntries
+        .filter(([, value]) => value === 0)
+        .map(([key]) => key);
+    // Top-level fields excluded by rules (excluding `_id` which has special
+    // MongoDB semantics and is allowed alongside inclusion projections).
+    const excludedTopLevel = new Set(rulesExcludeKeys.map(getTopLevel).filter((key) => key !== '_id'));
+    const filteredClient = {};
+    for (const [key, value] of Object.entries(client)) {
+        if (excludedTopLevel.has(getTopLevel(key)))
+            continue;
+        filteredClient[key] = value;
+    }
+    const hasInclusion = rulesIncludeKeys.some((key) => key !== '_id') ||
+        Object.entries(filteredClient).some(([key, value]) => value === 1 && key !== '_id');
+    const merged = {};
+    if (hasInclusion) {
+        // Inclusion mode: keep only client inclusions, then overlay rules inclusions.
+        // Client exclusions (other than `_id: 0`) are incompatible with inclusion
+        // mode and are dropped; not-included fields are implicitly excluded anyway.
+        for (const [key, value] of Object.entries(filteredClient)) {
+            if (value === 1 || key === '_id')
+                merged[key] = value;
+        }
+        for (const key of rulesIncludeKeys)
+            merged[key] = 1;
+        // Allow `_id: 0` to be forced by rules in inclusion mode.
+        for (const key of rulesExcludeKeys) {
+            if (key === '_id')
+                merged[key] = 0;
+        }
+    }
+    else {
+        // Pure exclusion mode: combine all exclusions from both sides.
+        for (const [key, value] of Object.entries(filteredClient)) {
+            if (value === 0)
+                merged[key] = 0;
+        }
+        for (const key of rulesExcludeKeys)
+            merged[key] = 0;
+    }
+    return Object.keys(merged).length > 0 ? merged : undefined;
+};
+exports.mergeProjections = mergeProjections;
 const applyAccessControlToPipeline = (pipeline, rules, user, collectionName, options) => {
     const { isClientPipeline = false } = options || {};
     const hiddenFieldsForCollection = isClientPipeline
@@ -77,7 +139,7 @@ const applyAccessControlToPipeline = (pipeline, rules, user, collectionName, opt
             (0, exports.checkDenyOperation)(rules, currentCollection, model_1.CRUD_OPERATIONS.READ);
             const lookupRules = rules[currentCollection] || {};
             const formattedQuery = (0, exports.getFormattedQuery)(lookupRules.filters, {}, user);
-            const projection = (0, exports.getFormattedProjection)(lookupRules.filters);
+            const projection = (0, exports.getFormattedProjection)(lookupRules.filters, user);
             const nestedPipeline = (0, exports.applyAccessControlToPipeline)(lookUpStage.pipeline || [], rules, user, currentCollection, { isClientPipeline });
             const lookupPipeline = [
                 ...(formattedQuery.length ? [{ $match: { $and: formattedQuery } }] : []),
@@ -98,7 +160,7 @@ const applyAccessControlToPipeline = (pipeline, rules, user, collectionName, opt
             (0, exports.checkDenyOperation)(rules, currentCollection, model_1.CRUD_OPERATIONS.READ);
             const unionRules = rules[currentCollection] || {};
             const formattedQuery = (0, exports.getFormattedQuery)(unionRules.filters, {}, user);
-            const projection = (0, exports.getFormattedProjection)(unionRules.filters);
+            const projection = (0, exports.getFormattedProjection)(unionRules.filters, user);
             if (isSimpleStage) {
                 return stage;
             }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@flowerforce/flowerbase",
-  "version": "1.8.4-beta.3",
+  "version": "1.8.4-beta.4",
   "description": "",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",

package/src/services/mongodb-atlas/__tests__/utils.test.ts

@@ -1,4 +1,4 @@
-import { ensureClientPipelineStages, getHiddenFieldsFromRulesConfig, prependUnsetStage, applyAccessControlToPipeline } from '../utils'
+import { ensureClientPipelineStages, getHiddenFieldsFromRulesConfig, prependUnsetStage, applyAccessControlToPipeline, mergeProjections } from '../utils'
 import { Role } from '../../../utils/roles/interface'
 
 describe('MongoDB Atlas aggregate helpers', () => {
@@ -165,4 +165,89 @@ describe('MongoDB Atlas aggregate helpers', () => {
       })
     })
   })
+
+  describe('mergeProjections', () => {
+    it('returns undefined when both sides are empty', () => {
+      expect(mergeProjections(undefined, undefined)).toBeUndefined()
+      expect(mergeProjections({}, null)).toBeUndefined()
+    })
+
+    it('returns the client projection when rules have none', () => {
+      expect(mergeProjections({ a: 1, b: 1 }, null)).toEqual({ a: 1, b: 1 })
+    })
+
+    it('normalizes the rules projection when client has none', () => {
+      // Mixed inclusion/exclusion rules are normalized to pure inclusion mode.
+      expect(
+        mergeProjections(undefined, { item: 1, status: 1, instock: 0 })
+      ).toEqual({ item: 1, status: 1 })
+    })
+
+    it('merges plain inclusion projections (rules wins on conflict)', () => {
+      expect(
+        mergeProjections(
+          { item: 1, price: 1 },
+          { item: 1, status: 1 }
+        )
+      ).toEqual({ item: 1, status: 1, price: 1 })
+    })
+
+    it('supports dotted client keys alongside plain rules keys', () => {
+      expect(
+        mergeProjections(
+          { price: 1 },
+          { item: 1, status: 1, 'instock.qty': 1 }
+        )
+      ).toEqual({ item: 1, status: 1, 'instock.qty': 1, price: 1 })
+    })
+
+    it('drops client dotted keys when rules exclude the top-level field', () => {
+      // Rules: include item/status, exclude the whole `instock` subtree.
+      // Client tries to read `instock.qty` — it must be stripped.
+      expect(
+        mergeProjections(
+          { item: 1, status: 1, 'instock.qty': 1 },
+          { item: 1, status: 1, instock: 0 }
+        )
+      ).toEqual({ item: 1, status: 1 })
+    })
+
+    it('drops every client inclusion whose top-level is excluded by rules', () => {
+      expect(
+        mergeProjections(
+          {
+            item: 1,
+            'instock.qty': 1,
+            'instock.warehouse': 1,
+            price: 1
+          },
+          { item: 1, instock: 0 }
+        )
+      ).toEqual({ item: 1, price: 1 })
+    })
+
+    it('produces pure exclusion output when neither side has inclusions', () => {
+      expect(
+        mergeProjections({ secretA: 0 }, { secretB: 0 })
+      ).toEqual({ secretA: 0, secretB: 0 })
+    })
+
+    it('drops non-_id client exclusions when switching to inclusion mode', () => {
+      // Can't mix `{ price: 0, item: 1 }` in MongoDB — rules force inclusion
+      // mode so the client exclusion is silently dropped (price is implicitly
+      // excluded because it is not included).
+      expect(
+        mergeProjections({ price: 0 }, { item: 1 })
+      ).toEqual({ item: 1 })
+    })
+
+    it('keeps _id: 0 alongside inclusion mode', () => {
+      expect(
+        mergeProjections({ _id: 0 }, { item: 1 })
+      ).toEqual({ _id: 0, item: 1 })
+      expect(
+        mergeProjections({ item: 1 }, { _id: 0 })
+      ).toEqual({ _id: 0, item: 1 })
+    })
+  })
 })

package/src/services/mongodb-atlas/index.ts

@@ -35,6 +35,7 @@ import {
   getFormattedProjection,
   getFormattedQuery,
   getHiddenFieldsFromRulesConfig,
+  mergeProjections,
   normalizeQuery
 } from './utils'
 
@@ -558,13 +559,6 @@ const getOperators: GetOperatorsFunction = (
           projectionOrOptions,
           options
         )
-        const resolvedOptions =
-          projection || normalizedOptions
-            ? {
-              ...(normalizedOptions ?? {}),
-              ...(projection ? { projection } : {})
-            }
-            : undefined
         const resolvedQuery = query ?? {}
         if (!run_as_system) {
           checkDenyOperation(
@@ -574,6 +568,17 @@ const getOperators: GetOperatorsFunction = (
           )
           // Apply access control filters to the query
           const formattedQuery = getFormattedQuery(filters, resolvedQuery, user)
+          // Rules-level projection has priority over client-provided projection.
+          // The merged projection is passed natively to MongoDB.
+          const rulesProjection = getFormattedProjection(filters, user)
+          const finalProjection = mergeProjections(projection, rulesProjection)
+          const resolvedOptions =
+            finalProjection || normalizedOptions
+              ? {
+                ...(normalizedOptions ?? {}),
+                ...(finalProjection ? { projection: finalProjection } : {})
+              }
+              : undefined
           logDebug('update formattedQuery', {
             collection: collName,
             query,
@@ -629,8 +634,15 @@ const getOperators: GetOperatorsFunction = (
           emitMongoEvent('findOne')
           return Promise.resolve(response)
         }
-        // System mode: no validation applied
-        const response = await collection.findOne(resolvedQuery, resolvedOptions)
+        // System mode: no validation applied, only client-provided projection/options.
+        const systemOptions =
+          projection || normalizedOptions
+            ? {
+              ...(normalizedOptions ?? {}),
+              ...(projection ? { projection } : {})
+            }
+            : undefined
+        const response = await collection.findOne(resolvedQuery, systemOptions)
         emitMongoEvent('findOne')
         return response
       } catch (error) {
@@ -1023,13 +1035,6 @@ const getOperators: GetOperatorsFunction = (
           projectionOrOptions,
           options
         )
-        const resolvedOptions =
-          projection || normalizedOptions
-            ? {
-              ...(normalizedOptions ?? {}),
-              ...(projection ? { projection } : {})
-            }
-            : undefined
         if (!run_as_system) {
           checkDenyOperation(
             normalizedRules,
@@ -1039,6 +1044,17 @@ const getOperators: GetOperatorsFunction = (
           // Pre-query filtering based on access control rules
           const formattedQuery = getFormattedQuery(filters, query, user)
           const currentQuery = formattedQuery.length ? { $and: formattedQuery } : {}
+          // Rules-level projection has priority over client-provided projection.
+          // The merged projection is passed natively to MongoDB.
+          const rulesProjection = getFormattedProjection(filters, user)
+          const finalProjection = mergeProjections(projection, rulesProjection)
+          const resolvedOptions =
+            finalProjection || normalizedOptions
+              ? {
+                ...(normalizedOptions ?? {}),
+                ...(finalProjection ? { projection: finalProjection } : {})
+              }
+              : undefined
           // aggiunto filter per evitare questo errore: $and argument's entries must be objects
           const cursor = collection.find(currentQuery, resolvedOptions)
           const originalToArray = cursor.toArray.bind(cursor)
@@ -1084,8 +1100,15 @@ const getOperators: GetOperatorsFunction = (
           emitMongoEvent('find')
           return cursor
         }
-        // System mode: return original unfiltered cursor
-        const cursor = collection.find(query, resolvedOptions)
+        // System mode: return original unfiltered cursor (only client projection/options).
+        const systemOptions =
+          projection || normalizedOptions
+            ? {
+              ...(normalizedOptions ?? {}),
+              ...(projection ? { projection } : {})
+            }
+            : undefined
+        const cursor = collection.find(query, systemOptions)
         emitMongoEvent('find')
         return cursor
       } catch (error) {
@@ -1327,7 +1350,7 @@ const getOperators: GetOperatorsFunction = (
           formattedQuery,
           pipeline
         })
-        const projection = getFormattedProjection(filters)
+        const projection = getFormattedProjection(filters, user)
         const hiddenFields = getHiddenFieldsFromRulesConfig(rulesConfig)
 
         const sanitizedPipeline = applyAccessControlToPipeline(

package/src/services/mongodb-atlas/utils.ts

@@ -76,20 +76,89 @@ export const getFormattedProjection = (
   filters: Filter[] = [],
   user?: User
 ): Projection | null => {
-  const projections = filters
-    .filter((filter) => {
-      if (filter.projection) {
-        const preFilter = getValidRule({ filters, user })
-        const isValidPreFilter = !!preFilter?.length
-        return isValidPreFilter
-      }
-      return false
-    })
-    .map((f) => f.projection)
+  const projections = getValidRule({ filters, user })
+    .filter((f) => !!f.projection)
+    .map((f) => f.projection as Projection)
   if (!projections.length) return null
   return Object.assign({}, ...projections)
 }
 
+/**
+ * Merges a client-provided projection with the one computed from rules filters.
+ *
+ * Rules have higher priority over the client:
+ * - If rules exclude a top-level field (e.g. `{ instock: 0 }`), every client
+ *   reference to that field — including dotted sub-paths such as
+ *   `"instock.qty": 1` — is dropped from the final projection.
+ * - If rules include a field (value `1`), it is always part of the final
+ *   projection and overrides any conflicting client value.
+ * - The returned projection is always a valid MongoDB projection (no mixing of
+ *   inclusion and exclusion on non-`_id` keys), so it can be passed as-is to
+ *   native MongoDB methods.
+ * - Returns `undefined` when neither side provided a meaningful projection.
+ */
+export const mergeProjections = (
+  clientProjection: Projection | Document | undefined,
+  rulesProjection: Projection | null | undefined
+): Projection | Document | undefined => {
+  const hasClient = !!clientProjection && Object.keys(clientProjection).length > 0
+  const hasRules = !!rulesProjection && Object.keys(rulesProjection).length > 0
+  if (!hasClient && !hasRules) return undefined
+
+  const client = (hasClient ? (clientProjection as Projection) : {}) as Projection
+  const rules = (hasRules ? (rulesProjection as Projection) : {}) as Projection
+
+  const getTopLevel = (key: string) => key.split('.')[0]
+
+  const rulesEntries = Object.entries(rules)
+  const rulesIncludeKeys = rulesEntries
+    .filter(([, value]) => value === 1)
+    .map(([key]) => key)
+  const rulesExcludeKeys = rulesEntries
+    .filter(([, value]) => value === 0)
+    .map(([key]) => key)
+
+  // Top-level fields excluded by rules (excluding `_id` which has special
+  // MongoDB semantics and is allowed alongside inclusion projections).
+  const excludedTopLevel = new Set(
+    rulesExcludeKeys.map(getTopLevel).filter((key) => key !== '_id')
+  )
+
+  const filteredClient: Record<string, 0 | 1> = {}
+  for (const [key, value] of Object.entries(client)) {
+    if (excludedTopLevel.has(getTopLevel(key))) continue
+    filteredClient[key] = value as 0 | 1
+  }
+
+  const hasInclusion =
+    rulesIncludeKeys.some((key) => key !== '_id') ||
+    Object.entries(filteredClient).some(([key, value]) => value === 1 && key !== '_id')
+
+  const merged: Record<string, 0 | 1> = {}
+
+  if (hasInclusion) {
+    // Inclusion mode: keep only client inclusions, then overlay rules inclusions.
+    // Client exclusions (other than `_id: 0`) are incompatible with inclusion
+    // mode and are dropped; not-included fields are implicitly excluded anyway.
+    for (const [key, value] of Object.entries(filteredClient)) {
+      if (value === 1 || key === '_id') merged[key] = value
+    }
+    for (const key of rulesIncludeKeys) merged[key] = 1
+    // Allow `_id: 0` to be forced by rules in inclusion mode.
+    for (const key of rulesExcludeKeys) {
+      if (key === '_id') merged[key] = 0
+    }
+  } else {
+    // Pure exclusion mode: combine all exclusions from both sides.
+    for (const [key, value] of Object.entries(filteredClient)) {
+      if (value === 0) merged[key] = 0
+    }
+    for (const key of rulesExcludeKeys) merged[key] = 0
+  }
+
+  return Object.keys(merged).length > 0 ? merged : undefined
+}
+
 export const applyAccessControlToPipeline = (
   pipeline: AggregationPipeline,
   rules: Record<
@@ -120,7 +189,7 @@ export const applyAccessControlToPipeline = (
       checkDenyOperation(rules as Rules, currentCollection, CRUD_OPERATIONS.READ)
       const lookupRules = rules[currentCollection] || {}
       const formattedQuery = getFormattedQuery(lookupRules.filters, {}, user)
-      const projection = getFormattedProjection(lookupRules.filters)
+      const projection = getFormattedProjection(lookupRules.filters, user)
 
       const nestedPipeline = applyAccessControlToPipeline(
         lookUpStage.pipeline || [],
@@ -155,7 +224,7 @@ export const applyAccessControlToPipeline = (
       checkDenyOperation(rules as Rules, currentCollection, CRUD_OPERATIONS.READ)
       const unionRules = rules[currentCollection] || {}
       const formattedQuery = getFormattedQuery(unionRules.filters, {}, user)
-      const projection = getFormattedProjection(unionRules.filters)
+      const projection = getFormattedProjection(unionRules.filters, user)
 
       if (isSimpleStage) {
         return stage