Hi Otis, Thanks for the response. I'll try and inline some clarity... 2008/9/18 Otis Gospodnetic <[EMAIL PROTECTED]>:
>> I am trying to put together a security model around fields in my >> index. My requirement is that a user may not have permission to view >> certain fields in the index when he does a search. For example, he may >> have permission to see the name and address, but not the occupation. >> Whereas a different user with different permissions will be able to >> search all 3 fields. > > What exactly is restricted? Viewing of specific fields in results, or > searching in specific fields? I am restricting the results - the user can search everything, but I was planning (as you mention) to apply a fieldList qualifier to the query. In my head (ie not tried it yet) I was hoping I could write a 'SecurityRequestHandler' that would take an incoming security 'token' and construct a %fl qualifier. Some other thoughts in my head are around developing my own fieldType, where I could tokenise the value against the field (e.g. store <field name="occupation">candlestick maker=Restricted</field> or something similar. Thoughts on that? > If it's the former, you could tell Solr which fields to return using > %fl=field1,field2... > If it's the latter, you could always write a custom SearchComponent that > takes your custom "userType" or "allowedFields" parameter and constructs a > query based on that. > >> What is the best way to model this? >> >> My current stab at this has a document-level security level set (I >> have a field called security_default), and all fields have this >> default. If there are exceptions, I have a multiValued field called >> 'security_exceptions' where I comma delimit the fild name and >> different access permission for that field. Eg I might have >> 'occupation=Restricted' in that field. >> >> This falls over when I copyField fields into a text field for easier >> searching. > > Searching across multiple fields is pretty easy, too. I'd stick to that, as > that also lets you assign different weight to different fields. > My requirement is to offer a google-type search, so the user can type in "john smith ford green" and get results where "ford" may be a last name or a car manufacturer, or "green" is the colour of the car, a last name or part of a town name. If I tokenised the field values as above and copyField-ed them into a single text box, would my tokeniser pick those out? Dunno - I guess I need to roll my sleeves up and do some coding, try some of this out. Thanks again for any insights Geoff
