search index permissions

A place for users and developers of the Xataface to discuss and receive support.

search index permissions

Postby omills » Wed Nov 09, 2011 11:37 am

The global search (top right corner search) results seem to be ignoring permissions and showing things based on the permissions of the person who rebuilt the index rather than the person who is doing the search. (Since my update from 1.2.5 to 1.3.x)

Access to the actual tables follows the permissions correctly... its just the global search index that is giving me problems.

Here is my permissions set up:
permissions.ini
Code: Select all
[STAFF extends OWNER]
[FINANCE extends STAFF]
manage_build_index=1
manage_output_cache=1


finances.php (access to the finances table, which is indexed, should only be for those with a FINANCE role)
Code: Select all
   function getPermissions(&$record){
      $auth =& Dataface_AuthenticationTool::getInstance();
      $user =& $auth->getLoggedInUser();
          // $user is a Dataface_Record encapsulating the currently logged in user.   
         // first let's deal with the case that the user is not logged in.
      if ( !$user ) return Dataface_PermissionsTool::NO_ACCESS();
      if ( $user->val('Role') == 'FINANCE' ) return Dataface_PermissionsTool::ALL();
      return Dataface_PermissionsTool::NO_ACCESS();
   }


If I rebuild the index from a user logged in the MANAGER role, it shows NO ACCESS, NO ACCESS for the "fincances" tab of the global search results... (for any user)
If I rebuild the index from a user logged in with the FINANCE role, it shows all the finances data in the "fincances" tab of the global search results... (for any user!!! - I want to limit that to only users with the FINANCE role)

Permissions are checked in the ApplicationDelegate.php
Code: Select all
function getPermissions(&$record){
         $auth =& Dataface_AuthenticationTool::getInstance();
         $user =& $auth->getLoggedInUser();
         if ( !isset($user) ) return Dataface_PermissionsTool::NO_ACCESS();
             // if the user is null then nobody is logged in... no access.
             // This will force a login prompt.
         if ($user->val('Role')<>'')
             $role = $user->val('Role');
          else
             $role = 'READ ONLY';
         
         return Dataface_PermissionsTool::getRolePermissions($role);
             // Returns all of the permissions for the user's current role.
      }


Thanks!
omills
 
Posts: 18
Joined: Sat Nov 07, 2009 11:01 am

Re: search index permissions

Postby shannah » Thu Nov 10, 2011 10:28 am

You have stumbled on quite an important point. For now it is best to only use the search index for "public" content. The search index is stored in its own table and permissions for that table are decoupled from the permissions of the originating record. You can control what information will be stored in the index using delegate class methods, but permissions in the index are public by default.
shannah
 
Posts: 4457
Joined: Wed Dec 31, 1969 5:00 pm


Return to Xataface Users

Who is online

Users browsing this forum: No registered users and 12 guests

cron
Powered by Dataface
© 2005-2007 Steve Hannah All rights reserved