Limit search based on user type

drk4 2019-06-17 15:39:23 UTC #1

I have a web collection that is a mix of public results alongside private results. The private results should only be searchable / accessible to logged in users.

Currently I am loading in a .ftl template using AJAX to provide the display of search results.

Is it possible to use this method of searching and displaying results to control what the user is shown?
As far as I can see user verification would always be on the client side, so could then be easy to bypass and just get all the results. Ie. passing the user type as a parameter to the search.

A possible (flawed) solution could be.
- Splitting the collection into two (private and public) and passing that as a parameter. (easy to bypass)

Is there a way to lockdown funnelback search templates based on user credentials at a funnelback/server level?

Thanks,
David

dcook 2019-06-18 22:47:15 UTC #2

I haven't used this before myself, but it sounds like you need Document Level Security: https://docs.funnelback.com/15.20/customise/advanced-options/collection-security/document-level-security.html

plevan 2019-06-19 00:11:50 UTC #3

If you're using a CMS or similar to authenticate the use and the results are wrapped by the CMS you could possibly use collection level security (https://docs.funnelback.com/15.20/customise/advanced-options/collection-security/index.html) to achieve this as long as you only have a small number of user groups.

To achieve the security you would need to crawl the content as a user of each of these groups in separate collections and at query time select the corresponding collection when executing your search. You would need to replace the ajax method of fetching the results with something that is server-side so that you could then secure the search results (by IP restricting Funnelback to your CMS and ensuring that the CMS only can set the collection to query)

Document level security is quite complicated and not likely to work for you unless you have your own instance of Funnelback and would require custom work to achieve what you are after.

drk4 2019-07-11 10:04:06 UTC #4

Thank you that makes sense.

Is there a way to implement Funnelback server-side that still makes use of the ftl templates? Or does the entire results and facets layout need replicated based on the json results to lock down access fully and process all queries before they are sent to Funnelback?

Our servers run PHP.

plevan 2019-08-05 00:43:48 UTC #5

You can still use Freemarker FTL templates to format the results. You'd need to change the AJAX model to be something server-side so you can use the collection-level security to restrict access to the CMS machine.

Your server would need to fetch the generated HTML from Funnelback (so the request comes from the server and not the user). This could be a complete page, or just a partial chunk of HTML that you nest inside your PHP generated page. This basically corresponds to the 'partial HTML' section outlined here: https://docs.funnelback.com/15.20/more/extra/integrating_search_with_your_website.html