lucene-solr-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nitin Agarwal <2nitinagar...@gmail.com>
Subject SOLR query - restrict access to user documents
Date Tue, 07 Oct 2014 15:37:29 GMT
Hi, I have a question around SOLR query, I am trying to restrict access to
SOLR data.

We are running SOLR 4.7.1, and wish to expose the query capabilities to our
customers for the data that belongs to them. Specifically "/select", with
default configuration is the only Request Handler that customers can
access.

<requestHandler name="/select" class="solr.SearchHandler">
     <lst name="defaults">
       <str name="echoParams">explicit</str>
       <int name="rows">10</int>
       <str name="df">text</str>
     </lst>
</requestHandler>

The custom API that fronts SOLR, will inject appropriate restriction
into the "q" param e.g. q=customerNumber:123 or
append to "q" param q=<customer query> AND customerNumber:123, before
sending the request to the "/select" handler.

This works fine, however,

I want to know if there is a way customer can override these restrictions?

If so what can I do to prevent that?

So far I have come across facet.mincount as one potential concern
where by customer can see data that they should not, e.g.

/select?q=<customer query> AND
customerNumber:123&facet=true&facet.field=customerName&rows=0&*facet.mincount=0*

will return those customer names as well that do not belong to
customerNumber 123.

Are there any other gotchas that I should know?

Thanks for your time and help,

Nitin

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message