Are you basically saying that you are going to model 3 collections, 1 per
role .
Each collection schema will contain only the sensitive field.
When you query you simply search in the related collection and retrieve all
the fields.
that's it ?
Cheers
On 6 November 2015 at 15:05, Douglas McGilvray
You know what guys, I have had a change in perspective…
I previously thought: do I want to index all these documents multiple times
just to protect 3 fields
I am now thinking: do I really want to try to parse all the fields in a query
when there are only 3 roles.
I have only 4k documents and
Be careful to the suggester as well. You don't want to show suggestions
coming from sensitive fields.
Cheers
On 5 November 2015 at 15:28, Scott Stults wrote:
> Good to hear! Depending on how far you want to take it, you can then scan
> the initial request coming in from the client (and the fina
Good to hear! Depending on how far you want to take it, you can then scan
the initial request coming in from the client (and the final response) for
raw Solr fields -- that shouldn't happen. I've used mod_security as a
general-purpose application firewall and would recommend it.
k/r,
Scott
On Wed
Thanks Alessandro, I had overlooked the highlighting component.
I will also add a reminder to exclude these fields from spellcheck fields, (or
maintain different spellcheck fields for different roles).
@Scott - Once I started planning my code the penny finally dropped regarding
your point abo
Of course it depends of all the query parameter you use and you process in
the response.
The list you wrote should be ok if you use only those components.
For example if you use highlight, it's not ok and you need to take care of
the highlighted fields as well.
Cheers
On 30 October 2015 at 14:51
Scott thanks for the reply. I like the idea of mapping all the fieldnames
internally, adding security through obscurity. My question therefore would be
what is the definitive list of query parameters that one must filter to ensure
a particular field is not exposed in the query response? Am I mi
Douglas,
Managing a per-user-group whitelist of fields outside of Solr seems the
best approach. When the query comes in you can then filter out any fields
not contained in the whitelist before you send the request to Solr. The
easy part will be to do that on URL parameters like fl. Depending on ho
Hi all,
First I’d like to say the nested facets and the json facet api in particular
have made my world much better, I thank everyone involved, you are all awesome.
In my implementation has much of the solr query building working on the
browser, solr is behind a php server which acts as “proxy”
