Hi, If all you have to do is "hide" certain fields from search results for some users, then your application -- the application that sends search requests to Solr can just use different fl=XXX parameters based on user's permission. I think that's all you need and the custom fieldType should not be needed.
As for entering just the keywords and searching several fields automatically - this is what DisMax handler is good at, so give that a try. Otis -- Sematext -- http://sematext.com/ -- Lucene - Solr - Nutch ----- Original Message ---- > From: Geoff Hopson <[EMAIL PROTECTED]> > To: solr-user@lucene.apache.org > Sent: Thursday, September 18, 2008 3:21:01 AM > Subject: Re: Field level security > > Hi Otis, > Thanks for the response. I'll try and inline some clarity... > > 2008/9/18 Otis Gospodnetic : > > >> I am trying to put together a security model around fields in my > >> index. My requirement is that a user may not have permission to view > >> certain fields in the index when he does a search. For example, he may > >> have permission to see the name and address, but not the occupation. > >> Whereas a different user with different permissions will be able to > >> search all 3 fields. > > > > What exactly is restricted? Viewing of specific fields in results, or > searching in specific fields? > > I am restricting the results - the user can search everything, but I > was planning (as you mention) to apply a fieldList qualifier to the > query. In my head (ie not tried it yet) I was hoping I could write a > 'SecurityRequestHandler' that would take an incoming security 'token' > and construct a %fl qualifier. > > Some other thoughts in my head are around developing my own fieldType, > where I could tokenise the value against the field (e.g. store > name="occupation">candlestick maker=Restricted or something > similar. Thoughts on that? > > > > If it's the former, you could tell Solr which fields to return using > %fl=field1,field2... > > If it's the latter, you could always write a custom SearchComponent that > > takes > your custom "userType" or "allowedFields" parameter and constructs a query > based > on that. > > > >> What is the best way to model this? > >> > >> My current stab at this has a document-level security level set (I > >> have a field called security_default), and all fields have this > >> default. If there are exceptions, I have a multiValued field called > >> 'security_exceptions' where I comma delimit the fild name and > >> different access permission for that field. Eg I might have > >> 'occupation=Restricted' in that field. > >> > >> This falls over when I copyField fields into a text field for easier > searching. > > > > Searching across multiple fields is pretty easy, too. I'd stick to that, > > as > that also lets you assign different weight to different fields. > > > > My requirement is to offer a google-type search, so the user can type > in "john smith ford green" and get results where "ford" may be a last > name or a car manufacturer, or "green" is the colour of the car, a > last name or part of a town name. If I tokenised the field values as > above and copyField-ed them into a single text box, would my tokeniser > pick those out? > > Dunno - I guess I need to roll my sleeves up and do some coding, try > some of this out. > > Thanks again for any insights > > Geoff
