mark david mcCreary wrote: > > I am working on a one machine search archive, with multiple > independent silos of data (subsets). > > I want to make sure that any search has a valid ul= operand. > > I was thinking that having > > AllowFrom 127.0.0.1 > > would keep only those queries that come from the search button on my html page. > > However, it looks like I can easily edit the query, and submit it > directly from my web browser, thereby dropping the ul argument, and > searching the whole site. > > Any suggestions on how I might keep this from happening ?
Well, the most obvious solution is to set up two separate search daemons on different ports working with two different databases, and two index processes, one will index data that is available to everybody, while another will index protected data. And having second s.cgi (that will query the second searchd) in web server directory protected by (say) BasicAuth will solve the problem. Another solution is to write a small wrapper script which will check some user credentials and ul= parameter and decide whether to run s.cgi or not based on that. Anything else (say, require that ul= is not empty) will give you only a false sense of security. The main idea is you don't want to check ul= along, you want to check who is using the search, so you need some authentication method involved. Either you do it using Apache BasicAuth feature (or some other authentication), or you will write a script yourself, or combine a both methods. -- [EMAIL PROTECTED] ICQ 7551596 Phone +7 903 6722750 Hard work may not kill you, but why take chances? --
