Yes, you could either,

1) Create 3 sets of index files. 1 per user group

OR

2) Index all files and filter the results based on the permissions of the currently logged in user.


In the case of option 1) this would mean doing a lot of extra indexing, but the search function would work quicker as no filtering is required. And you wouldn't need to write any new code. Plus figures like the numbers of results found would be correct.

In the case of option 2) you would need to write some new code, to check URLs against your database and filter results. The figures like the numbers of results found would be incorrect as Zoom wouldn't know how many results will be filtered out.

If you did choose option 2), then you might want to consider looking at V5 of Zoom as you could use the new XML output option. This would make post processing of the results easier.

There is maybe also a 3rd and 4th possible solution. If you aren't too worried about security. Add a keyword(s) to the document meta data to indicate the classification of the document. The write a very small script to append this keyword to the search query. Zoom will then do the filtering.

A similar thing could be done with the category feature in Zoom. Especially in V5 where a document is allowed to be in more than 1 category. This would just be security by obscurity however.

Or maybe you could use categories with a script that validated that a particular user was allowed to select the category in question. e.g. the Admin category. This would be efficient, return correct results and be reasonably secure if done right.

Thanks for your answers

I especially like this one:

"If you aren't too worried about security. Add a keyword(s) to the document meta data to indicate the classification of the document. The write a very small script to append this keyword to the search query. Zoom will then do the filtering.
"

My plan is:

Step 1:
Add the relevant keywords to the metadata on every document:
"SecurityCheck-Public" and/or "SecurityCheck-Member" and/or "SecurityCheck-Admin".

Step 2:
Read the users role whenever a search are submitted - and add the appropriate keywords to the querystring, with & in between.

Step 3:
On the result aspx page check the querystring for "SecurityCheck-something"
and again look at the users role - to see if the querystring has been tampered with - if not, then display the result.

Step 4:
Reindex pages whenever the security level changes.
The metadata will not be cached so the indexer will always get a fresh version.

I do not see any security risk here, do you?

Kind regards
Hessner

Can't immediately see anything wrong from a security aspect.

I think using V5 categories would be cleaner. Thinking about it more, appending search terms in the background is going to cause a few minor side effects, like breaking the "Any word search" (boolean OR) search option. Using categories would have less side effects I think.

I agree.

But the category should be implicit(invisible to the user) - it will make no sense to create a dropdown with category usergroups that the user should select from.

And when I also want to use the category as "normal" - wouldent mixing it with security mess things up?

But if I could interact with the creation of the category dropdown menu, "just" remove the security categories and add them to the querystring after looking into the users rights - then it would be perfect. I dont know if I can control this dropdown menu myself?

One last question: are there any plans on making an asp.net 2.0 C# version of zoomsearch?


Regards
Hessner

Yes you will need to have a small script that manipulates the list of categories in the background. It would accept the categories the user selected from check boxes or a drop down, but then append the extra (hidden) security category.

This can only be done with V5 of Zoom. Because the V5 categories feature allows a document to be in multiple categories at the same time. In V4 a document could only belong to a single category (plus the ALL) category.

You need to add meta data to each document. For example for a public document you need at least 3 lines, like this,
<meta name="ZOOMCATEGORY" content="SecurityCheckMember">
<meta name="ZOOMCATEGORY" content="SecurityCheckAdmin">
<meta name="ZOOMCATEGORY" content="SecurityCheckPublic">

Then you need to wrap the CGI script with your own ASP.NET code. Your code manipulates the URL before calling the CGI.

Perfect, I will give this a try - and soon purchase the Version 5

Thanks
Hessner

Hi, I gave it a try.

I am running version 5, but the system only read the first category
metatag in my file:

<meta name="ZOOMCATEGORY" content="UCatAdmins">
<meta name="ZOOMCATEGORY" content="UCatAlle">

The result will show some words belong to the UCatAdmins category, but not to the UCatAlle category - even when both meta tags are on the same page

If I switch the two "meta name" statements, then the words will belong to UCatAlle and not UCatAdmins.

And I have not set the checkbox next to: "Files belonging to this category can not belong to any other category" on the category tab.

Regards
Hessner

You're right, this was a bug and a known issue in the most recent beta release. It is fixed in the final release (due in the next few days!)

User rights, categories and plugin....

Ups, This Post Is Moved To V5.