Storing user-id within the index is not a good plan. It would force you to update the index every time user access rights change, or as users are added and removed from the system.
Also, if I have read Brian's question correctly, it is not document access that needs to be controlled but access to specific fields. If there is a specific set of restricted fields then rather than filtering the results after the search a better approach would be to programtically alter the search criteria to search only those document fields that are not restricted. -- Neal -----Original Message----- From: Digy [mailto:[email protected]] Sent: Wednesday, April 01, 2009 10:36 AM To: [email protected] Subject: RE: Filtering queries Assuming that you can store the access rights related to a doc in a field Like; Doc1: Text: --> "text1" AccessRights: --> "user1 user2" Doc2: Text: --> "text2" AccessRights: --> "user2 user3" You can inject a "+AccessRights:User1" into the query user(user1 in this case) supplied. DIGY. -----Original Message----- From: Brian Victor [mailto:[email protected]] Sent: Wednesday, April 01, 2009 5:54 PM To: [email protected] Subject: Filtering queries We have a system in which access to documents is controlled by a non-trivial authorization system most closely related to ACLs. A user is able to either see all the document's fields, a well-defined subset of those fields, or none of the fields. I need help figuring out how to get lucene to not search on fields of a document that a user can't see. I have found the Filter class. In order to use this, it seems I need to know the lucene document IDs of the documents that should be visible, and from what I understand document IDs are not fixed so I can't store a link between them and my database rows. I have considered storing my database IDs in a lucene field on each document. What I can't figure out is how to guarantee that all search results are in the set of database IDs that a user can see. I can retrieve that list of IDs; is there a way to have lucene filter on that list? Thanks! -- Brian
