@@ -22,38 +22,32 @@ func MakeFilter(include, exclude []string) NSFilter {
2222
2323 return func (db , coll string ) bool {
2424 _ , dbIncluded := includeFilter [db ]
25- _ , dbExcluded := excludeFilter [db ]
2625
2726 nsIncluded := len (includeFilter ) > 0 && includeFilter .Has (db , coll )
2827 nsExcluded := len (excludeFilter ) > 0 && excludeFilter .Has (db , coll )
2928
30- if nsIncluded && dbIncluded && ! nsExcluded {
31- // If the namespace is included, it is allowed.
32- // Also make sure that the namespace is not excluded,
33- // because exclusion takes precedence.
34- return true
35- }
36-
37- if dbIncluded && ! nsExcluded {
38- // If the database is included in the filter,
39- // but the namespace is not included, it is not allowed.
40- // Also make sure that the namespace is not excluded,
41- // because exclusion takes precedence.
29+ // Exclusion takes precedence - if explicitly excluded, deny immediately.
30+ if nsExcluded {
4231 return false
4332 }
4433
45- if nsExcluded && dbExcluded {
46- // If the namespace is excluded, it is not allowed.
34+ // If include filter exists, use whitelist logic (deny by default).
35+ if len (includeFilter ) > 0 {
36+ // Allow if namespace is explicitly included.
37+ if nsIncluded {
38+ return true
39+ }
40+ // DB is in include filter but collection is not - deny.
41+ if dbIncluded {
42+ return false
43+ }
44+ // DB not in include filter at all - deny.
4745 return false
4846 }
4947
50- if dbExcluded {
51- // If the database is included in the filter,
52- // but the namespace is not excluded, it is allowed.
53- return true
54- }
48+ // No include filter (exclude-only or no filters).
49+ // Allow by default since exclusions are already handled above.
5550
56- // If the namespace is not present in either filter, it is allowed by default.
5751 return true
5852 }
5953}
0 commit comments