farcrySolrPro - secured content types


#1

What is the best way to limit Solr searches to content types the user has permissions to view?

I have an extended dmFile type that is restricted to particular roles. When an unauthenticated user searches,is tere an easy way to remove this content type from the the list Solr is searching?


#2

I don’t believe we are recording any security information in the Solr indexes (either in a related object or the content object itself).

How exactly did you extend the dmFile to restrict by roles? Is it a field/fields that you can index and search against?


#3

The content types that extend dmFile just extend filename (to allow for a different ftDestination our of wwwroot), and a “revision” filed for an internal code number…

I am coming from the old verity plugin…

Looks like I have farcry “view” permissions set for the types so, when indexed with solr you can see the result, but cant view it if you dont have the right role…

For the old verity plugin, it looks like I have added a “dummy” viewPermission field to the verityCollection type …

<cfproperty ftSeq="10" ftFieldset="Secutity Details" name="viewPermission"  type="string" hint="Dummy field to control view permissions" required="no" ftLabel="Access" ftType="permissions" ftPermissions="View" bSave="false" /> 

In verityService.cfc I have

<cfloop index="i" from="1" to="#arrayLen(aAllCollections)#">
    <cfif application.security.checkPermission(permission="view",object=aAllCollections[i].configid)>
           <cfset lResult = listAppend(lResult, "#aAllCollections[i].collectionname#") />
      </cfif>   
 </cfloop>

Looks like I need to do something similar… extend the solrProContentType to allow for a permissions selection, then elsewhere in the plugin detemine which contentTypes (aka collections) to include in the results…??

Pointers?

Chris


#4

Assuming you’re using the plugin’s built in search, the easiest way would be to override the getSearchResults() function in farcry.plugins.farcrysolrpro.packages.forms.solrProSearch. You could filter the results that come back from the search function before returning them to the display webskins.

So after line 116 here: https://github.com/jeffcoughlin/farcrysolrpro/blob/master/packages/forms/solrProSearch.cfc#L116 you would filter the results.


#5

Thanks Sean… just getting back to this…

a bit off topic, but what is the best way to check permissions on the objects being returned… curerntly when these content items are returned, if an unauthenticated user tries to click a result, they get the “you do not have access… login screen”… I’m not skilled on on Farcry checks for permissions…


#6

I’ve figured out how to check permissions on a type using application.security.checkPermission(permission=“mytypepermission”)

I can “tag” the result items that should be removed (simply nodifying the label output)

I cannot figure out how to remove contenttypes from either the search query itself, or delete results of a certain type from the results…

I am going crazy


#7

Can you allow Solr to return whatever it wants to return, and then when you go to do your output you can only render a view of each object based on whether or not the user has permission?

That might be easier than trying to filter the results in the Solr query itself?

Or, if you need to return a query object from somewhere, then you could create a new query object based on the same permission checks rather than rendering the views immediately.


#8

Thanks Justin. You are right… looks like a gotcha that I ran in to was the totalresults was being passed in to the pagination tag and the index was out of bounds since i had deleted items from it…