denyValues blocks queries with negated values (NOT operator) #17
Description
Summary
The denyValues security feature blocks any query that mentions a denied value, including queries that explicitly exclude that value using negation (NOT).
Expected Behavior
denyValues: ["archived", "deleted"] should:
- ✅ Block:
status:"archived"(user trying to access archived items) - ✅ Block:
status:"deleted"(user trying to access deleted items) - ✅ Allow:
NOT status:"archived"(user explicitly excluding archived items) - ✅ Allow:
NOT status:"deleted"(user explicitly excluding deleted items)
Actual Behavior
All four queries above are blocked, including the negations.
Impact
This makes denyValues unusable for RBAC systems that programmatically inject access control filters like:
// RBAC system adds this to hide items from users:
query = base.andWhere(`NOT status:"archived"`);When this is combined with denyValues: ["archived"], the entire query fails—even though the intent is to prevent access to archived items, not allow it.
Workaround
We had to remove denyValues entirely and handle access control in a separate query-building layer that runs before QueryKit parses the query.
Suggested Fix
The security check should parse the operator context and only deny values used in positive/inclusive queries, not negations.