Make getAuthLevel rules restrict what fields can be used in where clause

I'd have to do it once the document is back from the DB and I'm calculating what can be seen. Once I have a list of fields that can be seen, I need to look at the query again and see if you filtered on any of the fields that can't be seen. if so, throw out that object and keep going.