It's a similar approach as using SQL to filter the rows brought back for a particular user from a table. It's strong as long as you write your queries correctly, you store your data properly, and you guard against injection and privilege escalation. There's an added bonus in this case in that the user's submitted text isn't in the same query as the part that limits the rows they have access to, but if you're doing proper escaping of the query text, that shouldn't be relied on anyway.
Michael Della Bitta ------------------------------------------------ Appinions, Inc. -- Where Influence Isn’t a Game. http://www.appinions.com On Tue, May 29, 2012 at 3:07 PM, Mike Douglass <mikeadougl...@gmail.com> wrote: > Thank you. > > That sounds good - are we sure to get no leakage with this approach? > > I'd be indexing personal information which must not be delivered without > authentication. > > The solr instance is front-ended by bedework which can handle the auth and > adding a query term.
