Hi Paul, Regardless of how you implement it, I would recommend you use filter queries for the permissions check rather than making it part of the main query.
On Sat, Oct 23, 2010 at 4:03 AM, Paul Carey <paul.p.ca...@gmail.com> wrote: > Hi > > My domain model is made of users that have access to projects which > are composed of items. I'm hoping to use Solr and would like to make > sure that searches only return results for items that users have > access to. > > I've looked over some of the older posts on this mailing list about > access control and saw a suggestion along the lines of > acl:<user_id> AND (actual query). > > While this obviously works, there are a couple of niggles. Every item > must have a list of valid user ids (typically less than 100 in my > case). Every time a collaborator is added to or removed from a > project, I need to update every item in that project. This will > typically be fewer than 1000 items, so I guess is no big deal. > > I wondered if the following might be a reasonable alternative, > assuming the number of projects to which a user has access is lower > than a certain bound. > (acl:<project_id> OR acl:<project_id> OR ... ) AND (actual query) > > When the numbers are small - e.g. each user has access to ~20 projects > and each project has ~20 collaborators - is one approach preferable > over another? And when outliers exist - e.g. a project with 2000 > collaborators, or a user with access to 2000 projects - is one > approach more liable to fail than the other? > > Many thanks > > Paul > -- °O° "Good Enough" is not good enough. To give anything less than your best is to sacrifice the gift. Quality First. Measure Twice. Cut Once. http://www.israelekpo.com/