diff --git a/config/alfresco/subsystems/Search/common-opencmis-context.xml b/config/alfresco/subsystems/Search/common-opencmis-context.xml
index 7814af93fe..bf97c17666 100644
--- a/config/alfresco/subsystems/Search/common-opencmis-context.xml
+++ b/config/alfresco/subsystems/Search/common-opencmis-context.xml
@@ -51,7 +51,7 @@
 			</list>
         </property>
         <property name="queryEngine">
-            <ref bean="search.dbQueryEngineImpl" />
+            <ref bean="search.dbQueryEngine" />
         </property>
         <property name="cmisDictionaryService">
             <ref bean="OpenCMISDictionaryService" />
diff --git a/config/alfresco/subsystems/Search/common-search-context.xml b/config/alfresco/subsystems/Search/common-search-context.xml
index 9da3680d6c..47ef8ceac5 100644
--- a/config/alfresco/subsystems/Search/common-search-context.xml
+++ b/config/alfresco/subsystems/Search/common-search-context.xml
@@ -93,7 +93,7 @@
 			</list>
         </property>
         <property name="queryEngine">
-            <ref bean="search.dbQueryEngineImpl" />
+            <ref bean="search.dbQueryEngine" />
         </property>
         <property name="dictionaryService">
             <ref bean="dictionaryService" />
@@ -120,4 +120,31 @@
         <property name="tenantService" ref="tenantService"/>
     </bean>
    
+   <bean id="search.dbQueryEngine" class="org.springframework.aop.framework.ProxyFactoryBean">
+        <property name="proxyInterfaces">
+            <value>org.alfresco.repo.search.impl.querymodel.QueryEngine</value>
+        </property>
+        <property name="target">
+            <ref bean="search.dbQueryEngineImpl"/>
+        </property>
+        <property name="interceptorNames">
+            <list>
+                <idref bean="search.dbQueryEngineSecurity"/>
+            </list>
+        </property>
+    </bean>
+   
+   <bean id="search.dbQueryEngineSecurity" class="net.sf.acegisecurity.intercept.method.aopalliance.MethodSecurityInterceptor">
+        <property name="authenticationManager"><ref bean="authenticationManager"/></property>
+        <property name="accessDecisionManager"><ref bean="accessDecisionManager"/></property>
+        <property name="afterInvocationManager"><ref bean="afterInvocationManager"/></property>
+        <property name="objectDefinitionSource">
+            <value>
+               org.alfresco.repo.search.impl.querymodel.QueryEngine.executeQuery=ACL_ALLOW,AFTER_ACL_NODE.sys:base.Read
+               org.alfresco.repo.search.impl.querymodel.QueryEngine.getQueryModelFactory=ACL_ALLOW
+            </value>
+        </property>
+    </bean>
+   
+   
 </beans>
diff --git a/source/java/org/alfresco/repo/security/permissions/impl/acegi/ACLEntryAfterInvocationProvider.java b/source/java/org/alfresco/repo/security/permissions/impl/acegi/ACLEntryAfterInvocationProvider.java
index e9c62d9679..e3de6b0743 100644
--- a/source/java/org/alfresco/repo/security/permissions/impl/acegi/ACLEntryAfterInvocationProvider.java
+++ b/source/java/org/alfresco/repo/security/permissions/impl/acegi/ACLEntryAfterInvocationProvider.java
@@ -500,6 +500,11 @@ public class ACLEntryAfterInvocationProvider implements AfterInvocationProvider,
 
     {
         ResultSet raw = returnedObject.getWrapped();
+        // Check for nested evaluation FilteringResultSet is only wrapped here
+        if(raw instanceof FilteringResultSet)
+        {
+            return returnedObject;
+        }
         ResultSet filteredForPermissions = decide(authentication, object, config, raw);
         PagingLuceneResultSet newPaging = new PagingLuceneResultSet(filteredForPermissions, returnedObject.getResultSetMetaData().getSearchParameters(), nodeService);
         return newPaging;
diff --git a/source/test-java/org/alfresco/repo/search/SearchServiceTest.java b/source/test-java/org/alfresco/repo/search/SearchServiceTest.java
index 1e0ad3309a..c49a14d1ca 100644
--- a/source/test-java/org/alfresco/repo/search/SearchServiceTest.java
+++ b/source/test-java/org/alfresco/repo/search/SearchServiceTest.java
@@ -123,30 +123,30 @@ public class SearchServiceTest extends TestCase
         rootNodeRef = nodeService.getRootNode(storeRef);
 
         n1 = nodeService.createNode(rootNodeRef, ContentModel.ASSOC_CHILDREN, QName.createQName("{test}01"),
-                ContentModel.TYPE_CONTAINER).getChildRef();
+                ContentModel.TYPE_FOLDER).getChildRef();
         pubPermissionService.setPermission(n1, "andy", "Read", true);
         n2 = nodeService.createNode(rootNodeRef, ContentModel.ASSOC_CHILDREN, QName.createQName("{test}02"),
-                ContentModel.TYPE_CONTAINER).getChildRef();
+                ContentModel.TYPE_FOLDER).getChildRef();
         pubPermissionService.setPermission(n2, "andy", "Read", true);
         n3 = nodeService.createNode(rootNodeRef, ContentModel.ASSOC_CHILDREN, QName.createQName("{test}03"),
-                ContentModel.TYPE_CONTAINER).getChildRef();
+                ContentModel.TYPE_FOLDER).getChildRef();
         pubPermissionService.setPermission(n3, "andy", "Read", true);
         n4 = nodeService.createNode(rootNodeRef, ContentModel.ASSOC_CHILDREN, QName.createQName("{test}04"),
-                ContentModel.TYPE_CONTAINER).getChildRef();
+                ContentModel.TYPE_FOLDER).getChildRef();
         pubPermissionService.setPermission(n4, "andy", "Read", true);
         n5 = nodeService.createNode(rootNodeRef, ContentModel.ASSOC_CHILDREN, QName.createQName("{test}05"),
-                ContentModel.TYPE_CONTAINER).getChildRef();
+                ContentModel.TYPE_FOLDER).getChildRef();
         pubPermissionService.setPermission(n5, "andy", "Read", true);
         n6 = nodeService.createNode(rootNodeRef, ContentModel.ASSOC_CHILDREN, QName.createQName("{test}06"),
-                ContentModel.TYPE_CONTAINER).getChildRef();
+                ContentModel.TYPE_FOLDER).getChildRef();
         n7 = nodeService.createNode(rootNodeRef, ContentModel.ASSOC_CHILDREN, QName.createQName("{test}07"),
-                ContentModel.TYPE_CONTAINER).getChildRef();
+                ContentModel.TYPE_FOLDER).getChildRef();
         n8 = nodeService.createNode(rootNodeRef, ContentModel.ASSOC_CHILDREN, QName.createQName("{test}08"),
-                ContentModel.TYPE_CONTAINER).getChildRef();
+                ContentModel.TYPE_FOLDER).getChildRef();
         n9 = nodeService.createNode(rootNodeRef, ContentModel.ASSOC_CHILDREN, QName.createQName("{test}09"),
-                ContentModel.TYPE_CONTAINER).getChildRef();
+                ContentModel.TYPE_FOLDER).getChildRef();
         n10 = nodeService.createNode(rootNodeRef, ContentModel.ASSOC_CHILDREN, QName.createQName("{test}10"),
-                ContentModel.TYPE_CONTAINER).getChildRef();
+                ContentModel.TYPE_FOLDER).getChildRef();
 
     }
 
@@ -259,4 +259,19 @@ public class SearchServiceTest extends TestCase
         assertEquals(results.getResultSetMetaData().getPermissionEvaluationMode(), PermissionEvaluationMode.EAGER);
         results.close();
     }
+    
+    public void testAndyCMIS()
+    {
+        authenticationComponent.setCurrentUser("andy");
+        SearchParameters sp = new SearchParameters();
+        sp.setLanguage(SearchService.LANGUAGE_CMIS_ALFRESCO);
+        sp.setQuery("select * from cmis:folder");
+        sp.addStore(rootNodeRef.getStoreRef());
+        ResultSet results = pubSearchService.query(sp);
+        assertEquals(results.length(), 5);
+        assertNotNull(results.getResultSetMetaData());
+        assertEquals(results.getResultSetMetaData().getLimitedBy(), LimitBy.UNLIMITED);
+        assertEquals(results.getResultSetMetaData().getPermissionEvaluationMode(), PermissionEvaluationMode.EAGER);
+        results.close();
+    }
 }