Yes, please document this for FCREPO-1008. It is a fine real-life example of in-search filtering. I will include your patch later.
Thank you, Gert On 26/10/2011, at 18.00, Swithun Crowe wrote: > Hello > > I've attached a patch which lets me use the value/s in the > FEDORA_AUX_SUBJECT_ATTRIBUTES servlet attribute to refine queries. > > The extraction of the appropriate attribute values and their use in an > in-search filter is probably quite specific to the archiving project I'm > working on. But it should give an idea of how it can be done. > > In our archive, we will store objects related to many different projects. > Each project has resources of 3 different types: data, source code and > documentation. Different users will be allowed to see objects belonging to > some or all of these different resource types for projects they are > involved with. > > The Fedora PIDs are made up of 3 parts - a two part prefix and a UUID > generated outside of Fedora. The prefix is made up of a project code and a > resource type code, so a PID looks like this: > > rps-data:13c771d4-93c4-4b98-94fe-10dbd53258d5 > > Here is what the patch does: > > The HTTP request comes into RESTImpl.java, and is passed to the > gfindObjects method. The FEDORA_AUX_SUBJECT_ATTRIBUTES attribute is a Map > with String keys and Set<String> values. I'm interested in the fedoraRole > key, and convert the Set of strings into an array of strings. > > This string array gets passed to the Config object's getOperationsImpl > method, which passes it on to the GenericOperationsImpl object's init > method. Here it is stored in a protected class member. > > OperationsImpl's gfindObjects method can then pass this on to > rewriteQueryForInsearch method in the SearchResultFilteringDemoImpl > object. > > Here, the values for fedoraRole are examined. If there are no roles, then > the user shouldn't see anything. If one of the roles is 'administrator', > then no extra filtering is needed, as they are allowed to see everything. > Otherwise, each role is examined to see if it contains a _ (underscore). > If it does, then the role value is composed of a project prefix and a > project role suffix. > > One suffix is 'admin', which means that the user can see everything in a > project. Another suffix is 'reader', which means they can see data > resources. So, if a user has 'rps_admin' as a fedoraRole value, then > 'PID:rps-*' is added to the query. If the user has 'rps_reader' as a > fedoraRole, then 'PID:rps-data*' is added to the query. There is no need > for an extra field(s) in the index. This mimics the effect of the XACML > policies in Fedora. > > I haven't tried this yet with the LDAP filter that comes with > fedora-server.jar, or the SSO filter that Adam and Scott have produced. > But it works with the XML user file filter, and the Lucene engine. > > Shall I document this for FCREPO-1008? > > Swithun. > > -- > The University of St Andrews is a charity registered in Scotland: > SC013532<attributes.patch><ATT00001.c><ATT00002.c> ------------------------------------------------------------------------------ The demand for IT networking professionals continues to grow, and the demand for specialized networking skills is growing even more rapidly. Take a complimentary Learning@Cisco Self-Assessment and learn about Cisco certifications, training, and career opportunities. http://p.sf.net/sfu/cisco-dev2dev _______________________________________________ Fedora-commons-users mailing list Fedora-commons-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
