Hi, I have a question around SOLR query, I am trying to restrict access to
SOLR data.
We are running SOLR 4.7.1, and wish to expose the query capabilities to our
customers for the data that belongs to them. Specifically "/select", with
default configuration is the only Request Handler that customers can
access.
<requestHandler name="/select" class="solr.SearchHandler">
<lst name="defaults">
<str name="echoParams">explicit</str>
<int name="rows">10</int>
<str name="df">text</str>
</lst>
</requestHandler>
The custom API that fronts SOLR, will inject appropriate restriction
into the "q" param e.g. q=customerNumber:123 or
append to "q" param q=<customer query> AND customerNumber:123, before
sending the request to the "/select" handler.
This works fine, however,
I want to know if there is a way customer can override these restrictions?
If so what can I do to prevent that?
So far I have come across facet.mincount as one potential concern
where by customer can see data that they should not, e.g.
/select?q=<customer query> AND
customerNumber:123&facet=true&facet.field=customerName&rows=0&*facet.mincount=0*
will return those customer names as well that do not belong to
customerNumber 123.
Are there any other gotchas that I should know?
Thanks for your time and help,
Nitin
