From b1b31368f301d0ef0af93f2db96d2d5447e362a8 Mon Sep 17 00:00:00 2001
From: Tomas Johansen <tomas.johansen@outlook.com>
Date: Tue, 20 Jan 2026 14:30:47 +0100
Subject: [PATCH 1/2] When processing non-list nested object filters for
 CosmosDB, the EntityName was mutated but not restored after recursive
 parsing. This caused subsequent nested filters to use the wrong entity name
 for authorization checks, resulting in AuthorizationCheckFailed errors.

The fix adds a single line to restore EntityName alongside the existing restoration of DatabaseObject.Name and SourceAlias.

Closes #3070
---
 src/Core/Models/GraphQLFilterParsers.cs | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/Core/Models/GraphQLFilterParsers.cs b/src/Core/Models/GraphQLFilterParsers.cs
index 153def832f..90deb884b3 100644
--- a/src/Core/Models/GraphQLFilterParsers.cs
+++ b/src/Core/Models/GraphQLFilterParsers.cs
@@ -227,6 +227,7 @@ public Predicate Parse(
 
                             cosmosQueryStructure.DatabaseObject.Name = sourceName;
                             cosmosQueryStructure.SourceAlias = sourceAlias;
+                            cosmosQueryStructure.EntityName = entityName;
                         }
                     }
                 }

From f0f2b3cb0f88dbcde18a9567f46b6bead5e4c086 Mon Sep 17 00:00:00 2001
From: Tomas Johansen <tomas.johansen@outlook.com>
Date: Sat, 24 Jan 2026 22:06:16 +0100
Subject: [PATCH 2/2] Add integration test for CosmosDB nested object filter
 scenario

---
 .../CosmosTests/QueryFilterTests.cs           | 25 +++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/src/Service.Tests/CosmosTests/QueryFilterTests.cs b/src/Service.Tests/CosmosTests/QueryFilterTests.cs
index 187b447973..636988331c 100644
--- a/src/Service.Tests/CosmosTests/QueryFilterTests.cs
+++ b/src/Service.Tests/CosmosTests/QueryFilterTests.cs
@@ -899,6 +899,31 @@ public async Task TestFilterWithEntityNameAlias()
             await ExecuteAndValidateResult(_graphQLQueryName, gqlQuery, dbQuery);
         }
 
+        /// <summary>
+        /// Test filters on two different nested objects simultaneously
+        /// </summary>
+        [TestMethod]
+        public async Task TestFilterOnTwoDifferentNestedObjects()
+        {
+            string gqlQuery = @"{
+                planets(first: 10, " + QueryBuilder.FILTER_FIELD_NAME + @" : {
+                    character: { name: { eq: ""planet character"" } },
+                    earth: { type: { eq: ""earth4"" } }
+                })
+                {
+                    items {
+                        id
+                        name
+                    }
+                }
+            }";
+
+            string dbQuery = "SELECT c.id, c.name FROM c " +
+                "WHERE c.character.name = \"planet character\" AND c.earth.type = \"earth4\"";
+
+            await ExecuteAndValidateResult(_graphQLQueryName, gqlQuery, dbQuery);
+        }
+
         /// <summary>
         /// For "item-level-permission-role" role, DB policies are defined. This test confirms that all the DB policies are considered.
         /// For the reference, Below conditions are applied for an Entity in Db Config file.