Page 1 of 1

search index permissions

PostPosted: Wed Nov 09, 2011 11:37 am
by omills
The global search (top right corner search) results seem to be ignoring permissions and showing things based on the permissions of the person who rebuilt the index rather than the person who is doing the search. (Since my update from 1.2.5 to 1.3.x)

Access to the actual tables follows the permissions correctly... its just the global search index that is giving me problems.

Here is my permissions set up:
permissions.ini
Code: Select all
[STAFF extends OWNER]
[FINANCE extends STAFF]
manage_build_index=1
manage_output_cache=1


finances.php (access to the finances table, which is indexed, should only be for those with a FINANCE role)
Code: Select all
   function getPermissions(&$record){
      $auth =& Dataface_AuthenticationTool::getInstance();
      $user =& $auth->getLoggedInUser();
          // $user is a Dataface_Record encapsulating the currently logged in user.   
         // first let's deal with the case that the user is not logged in.
      if ( !$user ) return Dataface_PermissionsTool::NO_ACCESS();
      if ( $user->val('Role') == 'FINANCE' ) return Dataface_PermissionsTool::ALL();
      return Dataface_PermissionsTool::NO_ACCESS();
   }


If I rebuild the index from a user logged in the MANAGER role, it shows NO ACCESS, NO ACCESS for the "fincances" tab of the global search results... (for any user)
If I rebuild the index from a user logged in with the FINANCE role, it shows all the finances data in the "fincances" tab of the global search results... (for any user!!! - I want to limit that to only users with the FINANCE role)

Permissions are checked in the ApplicationDelegate.php
Code: Select all
function getPermissions(&$record){
         $auth =& Dataface_AuthenticationTool::getInstance();
         $user =& $auth->getLoggedInUser();
         if ( !isset($user) ) return Dataface_PermissionsTool::NO_ACCESS();
             // if the user is null then nobody is logged in... no access.
             // This will force a login prompt.
         if ($user->val('Role')<>'')
             $role = $user->val('Role');
          else
             $role = 'READ ONLY';
         
         return Dataface_PermissionsTool::getRolePermissions($role);
             // Returns all of the permissions for the user's current role.
      }


Thanks!

Re: search index permissions

PostPosted: Thu Nov 10, 2011 10:28 am
by shannah
You have stumbled on quite an important point. For now it is best to only use the search index for "public" content. The search index is stored in its own table and permissions for that table are decoupled from the permissions of the originating record. You can control what information will be stored in the index using delegate class methods, but permissions in the index are public by default.