When searching with _security:not , deleted resources are included in the search results.

[klimkjar]

Describe the bug When the _security:not search parameter is specified in a search operation, IDs for soft-deleted resources are included in the search results. I've reproduced the behaviour with a fresh install of version 4.0.160 , but it appears at least as far back as in version 3.4.124 .

FHIR Version? R4

Data provider? SQL Server

To Reproduce Steps to reproduce the behavior:

1. POST a Patient resource to the fhir-server instance. The contents are not important, for repro purposes even an empty Patient resource is enough.
2. DELETE the resource that was created in step 1.
3. SEARCH for resources using the _security:not parameter, for instance /Patient?_security:not=V . It needs to be a generic search, if the ID for the resource is specified with _id=... the behaviour does not appear, but adding _lastUpdated=... to limit the results if testing on a server with lots of existing data works.

Expected behavior The deleted resource does not appear in the list of results.

Actual behavior The deleted resource appears in the list as an empty resource (containing only the id and meta.lastUpdated fields).

[feordin]

Thank you for the bug report. I have also been able to repro the issue and confirmed it. We'll get it on the list to fix.