Hi, On 10/1/07, Marcel Reutegger <[EMAIL PROTECTED]> wrote: > I'm about to write a spellchecker extension for the lucene query handler in > jackrabbit.
Cool! Some concerns though, as I figure the spell checker would use the search index as a dictionary. Can there be a case where this feature could be used to circumvent access controls to retrieve isolated pieces of content from read-protected documents? I guess the threat is a bit theoretical, but how about a case where an attacker just wants to know if a repository contains some specific material (a list of specific names, etc.). The attacker could use the spellchecker as a mechanism to find out if a workspace contains a document with a specific name or keyword. > I planned to use the lucene-spellchecker contrib, however I don't > want to introduce another dependency in the jackrabbit-core. because the > spellchecker contrib in lucene only includes a handful of classes I would > prefer > to copy the classes and refactor them into the jackrabbit package space. > > does anyone have a better idea how to handle this? Would there be interest within the Lucene team to include the feature in a future release of lucene-core? I see where Felix is going with extra modules, but there's always a cost in complexity with such modularity and I'm not sure if this feature is worth that overhead. BR, Jukka Zitting
