You need to be careful allowing users to use raw queries if you index sensitive information. Cross domain search timing attacks can be used to extract information from an index [1] if your form does not have XSRF protection.
If you allow raw queries it can also allow users to DOS your application by inputting slow queries.
[1] https://www.idontplaydarts.com/2015/09/cross-domain-timing-attacks-against-lucene/