I'm willing to appreciate we all get forced into bad design some times, so if I was in your shoes I'd create a single field and give it multiple values based on who can read it.
First I'd create a set up groups and assign users to these groups, based on access rights. This can be managed in the database and won't require updates to the lucene index as users change groups. Hopefully you have a manageable number of groups. Next I'd add a field to every document called "Access", and add an instance of the field for each group that can read a document: Doc1: Access: all Access: marketing Access: admin Doc2: Access: marketing Access: admin Then on searches, add in the field to the query. So if you added Access: all to the query, you wouldn't get a hit on doc 2. The down side is adding a group will mean tagging all existing docs with the group that need access. The good news is, from a security side, no one will see anything until that's done. Mike On Wed, Apr 1, 2009 at 2:00 PM, Digy <[email protected]> wrote: > As far as I can see, > > 1- You should be able to store the ACL in a field(like AccessRights) > somehow, so that some docs (for ex.,doc2 in a search ""Text:text*)can be > stripped out from the search result like( "+AccessRights:user1") > BUT, you don't want it for performance etc. reasons. > > 2- Search results should be filtered (in a loop while reading the docs from > index?) before returning to user, utilizing the field "AccessRights". > > 3- You are in trouble :-) > > DIGY > > > > > > -----Original Message----- > From: Brian Victor [mailto:[email protected]] > Sent: Wednesday, April 01, 2009 8:37 PM > To: [email protected] > Subject: Re: Filtering queries > > On Wed, Apr 01, 2009 at 08:27:08PM +0300, Digy wrote: >>Doc1: >> Title: "title1" //everyone can see. >> Text: "text1" //only user1 can see >> >>Doc2: >> Title: "title2" //everyone can see. >> Text: "text2" //only user2 can see >> >> >>If I make a search(as user1) like "Title:title*" then I should get 2 hits >>but I should not read the "Text" field of Doc2. >> >>Am I correct? > > Yes. Moreover, if you're user1 and you search for "text", you should > only get one hit. And to add yet another winkle, user3 may not be > allowed to see Doc1 at all. > > So for any given user/document combination, one of the following > applies: > > 1) User can read every field in document > 2) User can read "text" field in document > 3) User cannot read any part of document > > -- > Brian > >
