lucene-solr-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ahmet Arslan <iori...@yahoo.com.INVALID>
Subject Re: SOLR query - restrict access to user documents
Date Wed, 08 Oct 2014 00:57:38 GMT
How about using a fq in appends section of solrconfig.xml?

<lst name="appends">
    <str name="fq">{!term f=customerNumber v=$qq}</str>
</lst>

And your query string will be : /select?q=<customer query>&qq=123

https://cwiki.apache.org/confluence/display/solr/Local+Parameters+in+Queries

Ahmet


On Wednesday, October 8, 2014 1:40 AM, Nitin Agarwal <2nitinagarwal@gmail.com> wrote:
Thanks for the info Jorge, I will look into invariants, good pointer.

My API, forces the rows to be a max of 500. If the user specifies more than
500 docs, then we modify the rows param to be 500.




On Tue, Oct 7, 2014 at 3:31 PM, Jorge Luis Betancourt Gonzalez <
jlbetancourt@uci.cu> wrote:

> I see you’re defining a default value for “rows” this could be overridden
> on the request, and requesting a lot of documents from solr can stress out
> your server/cluster, of course if the client in question has that many
> documents. if this is a fixed value and the clients can’t request more
> documents, then I’ll consider moving this into the invariants section
> ensuring that no matter what this value can’t be changed by the request.
> Some time ago I had a similar use case, we wanted to expose Solr to the
> clients and eventually we faced problems where some clients requested “all
> of his documents” in one request stressing out our cluster in the end we
> wrote a custom SearchComponent to set max values (instead of a fixed value
> specified on invariants) for the rows and start parameters (actually this
> component those a little more as we add some limitations to each type of
> client, defining some constrains as how many documents. i.e. data points
> can be requested, etc.).
>
> Hope it helps,
>
> On Oct 7, 2014, at 11:37 AM, Nitin Agarwal <2nitinagarwal@gmail.com>
> wrote:
>
> > Hi, I have a question around SOLR query, I am trying to restrict access
> to
> > SOLR data.
> >
> > We are running SOLR 4.7.1, and wish to expose the query capabilities to
> our
> > customers for the data that belongs to them. Specifically "/select", with
> > default configuration is the only Request Handler that customers can
> > access.
> >
> > <requestHandler name="/select" class="solr.SearchHandler">
> >     <lst name="defaults">
> >       <str name="echoParams">explicit</str>
> >       <int name="rows">10</int>
> >       <str name="df">text</str>
> >     </lst>
> > </requestHandler>
> >
> > The custom API that fronts SOLR, will inject appropriate restriction
> > into the "q" param e.g. q=customerNumber:123 or
> > append to "q" param q=<customer query> AND customerNumber:123, before
> > sending the request to the "/select" handler.
> >
> > This works fine, however,
> >
> > I want to know if there is a way customer can override these
> restrictions?
> >
> > If so what can I do to prevent that?
> >
> > So far I have come across facet.mincount as one potential concern
> > where by customer can see data that they should not, e.g.
> >
> > /select?q=<customer query> AND
> >
> customerNumber:123&facet=true&facet.field=customerName&rows=0&*facet.mincount=0*
> >
> > will return those customer names as well that do not belong to
> > customerNumber 123.
> >
> > Are there any other gotchas that I should know?
> >
> > Thanks for your time and help,
> >
> > Nitin
>
> Concurso "Mi selfie por los 5". Detalles en
> http://justiciaparaloscinco.wordpress.com
>

Mime
View raw message