"let's also be clear always that Solr is meant to be behind the firewall"
Absolutely, but we are NOT doing that when we provide the Velocity-based
/browse UI.
Erik, your email example sounds reasonable, so if you want to substitute
something like that for the /browse handler, fine. As you point out, it is
not Velocity per se, but the /browse UI that results in a lack of clarity
about Solr being meant to be behind the firewall.
-- Jack Krupansky
-----Original Message-----
From: Erik Hatcher
Sent: Tuesday, December 04, 2012 5:23 AM
To: solr-user@lucene.apache.org
Subject: Re: How to change Solr UI
It's a shame wt=velocity gets a bad rap because /update isn't out of the box
strict with the HTTP/RESTful scene. A delete should be a DELETE of some
sort.
There are 3rd party standalone apps. There was even a standalone ruby app
(flare) that was once upon a time in Solr's svn, but really the Solr
committers can't be expected to maintain all those various examples and keep
them up to date and working, so best to keep them 3rd party IMO. We've got
Blacklight, VuFind, and all sorts of other front-ends out there with their
own vibrant communities.
I'm -1 for removing VW (it's contrib plugin as it is already, just like
/update/extract). /browse certainly could use a cleaning up / revamping,
but it's good stuff if I do say so myself and very handy to have available
for several reasons*.
Let's try not to conflate wt=velocity with /update being more easily
dangerous than it probably should be. But let's also be clear always that
Solr is meant to be behind the firewall as it's primary and default place in
the world.
Erik
* One I'll share: There is a real-world use case of a (relatively big)
company using wt=velocity to generate e-mail (for saved searches) texts very
conveniently in a backend environment and very high speed, no other
technologies/complexities needed in the mix but Solr and a little custom
templating.
On Dec 3, 2012, at 20:58 , Jack Krupansky wrote:
It is annoying to have to repeat these explanations so much.
Any serious objection to removing the VW UI from Solr proper and replacing
it with a standalone app?
I mean, Solr should have PHP, python, Java, and ruby example apps, right?
-- Jack Krupansky
-----Original Message----- From: Iwan Hanjoyo
Sent: Monday, December 03, 2012 8:28 PM
To: solr-user@lucene.apache.org
Subject: Re: How to change Solr UI
Note that Velocity _can_ be used for user-facing code, but be very sure
you
secure your Solr. If you allow direct access, a user can easily enter
something like http://
<solr>/update?commit=true&stream.body=<delete><query>*:*</query></delete>.
And all your documents will be gone.
Hi Erickson,
Thank you for the input.
I'll notice and filter out this url.
* http://
<solr>/update?commit=true&stream.body=<delete><query>*:*</query></delete>
Kind regards,
Hanjoyo
