diff --git a/mo/db.py b/mo/db.py
index 5e246f097f1a0ab8675de2e1083bc849eb30b2ac..e6f9eddeca6750cd3feed69642c550ae17732e5a 100644
--- a/mo/db.py
+++ b/mo/db.py
@@ -733,7 +733,7 @@ class UserRole(Base):
 
         return " ".join(parts)
 
-    # XXX: Tatáž logika je v DB dotazu v org_index()
+    # XXX: Tatáž logika je v DB dotazu v org_index() a v mo.rights.filter_query_rights_for
     def applies_to(self, at: Optional[Place] = None, year: Optional[int] = None, cat: Optional[str] = None, seq: Optional[int] = None) -> bool:
         return ((at is None or self.place_id == at.place_id)
                 and (self.year is None or year is None or self.year == year)
diff --git a/mo/rights.py b/mo/rights.py
index 8f1fd28a8ebd26e0b7ebb52c9082d49a9ac88b8f..3007956631e416330d7fa4d53f0727f83e6c4c35 100644
--- a/mo/rights.py
+++ b/mo/rights.py
@@ -539,3 +539,33 @@ class Gatekeeper:
             return True
 
         return False
+
+
+def filter_query_rights_for(
+        q: Query,
+        place: Optional[db.Place] = None,
+        place_ids: Optional[List[int]] = None,
+        year: Optional[int] = config.CURRENT_YEAR,
+        cat: Optional[str] = None,
+        seq: Optional[int] = None) -> Query:
+
+    if place is not None:
+        q = q.filter(db.UserRole.place_id == place.place_id)
+    if place_ids is not None:
+        q = q.filter(db.UserRole.place_id.in_(place_ids))
+
+    if year is not None:
+        q = q.filter(or_(db.UserRole.year == year, db.UserRole.year == None))
+
+    if cat is not None:
+        cats = [cat]
+        if cat in "ABC":
+            cats.append('S')
+        elif cat.startswith('Z'):
+            cats.append('Z')
+        q = q.filter(or_(db.UserRole.category.in_(cats), db.UserRole.category == None))
+
+    if seq is not None:
+        q = q.filter(or_(db.UserRole.seq == seq, db.UserRole.seq == None))
+
+    return q