diff --git a/db/fetcher/fetcher.go b/db/fetcher/fetcher.go
index 895399adae..d23d83e964 100644
--- a/db/fetcher/fetcher.go
+++ b/db/fetcher/fetcher.go
@@ -13,6 +13,7 @@ package fetcher
 import (
 	"bytes"
 	"context"
+	"fmt"
 	"strings"
 
 	"github.com/bits-and-blooms/bitset"
@@ -599,7 +600,15 @@ func (df *DocumentFetcher) fetchNext(ctx context.Context) (EncodedDocument, Exec
 			return nil, ExecInfo{}, err
 		}
 
-		if df.filter != nil {
+		// Check permission
+		s := df.kv.Key.DocID
+		fmt.Println("------------------------------------")
+		fmt.Println("s      : ", s)
+		fmt.Println("passedPermission      : ", df.passedPermission)
+		df.passedPermission = true
+		fmt.Println("------------------------------------")
+
+		if df.passedPermission && df.filter != nil {
 			// only run filter if we've collected all the fields
 			// required for filtering. This is tracked by the bitsets.
 			if df.filterSet.Equal(df.doc.filterSet) {
@@ -619,7 +628,7 @@ func (df *DocumentFetcher) fetchNext(ctx context.Context) (EncodedDocument, Exec
 		// if we don't pass the filter (ran and pass)
 		// theres no point in collecting other select fields
 		// so we seek to the next doc
-		spansDone, docDone, err := df.nextKey(ctx, !df.passedFilter && df.ranFilter)
+		spansDone, docDone, err := df.nextKey(ctx, !df.passedPermission || !df.passedFilter && df.ranFilter)
 		if err != nil {
 			return nil, ExecInfo{}, err
 		}