根据用户限制来限制Lucene.Net搜索结果

Question

I am trying to figure out how to manage restricted data within a Lucene.Net index, say you have a person document with something like:

Name: Peter Pan
Locations: Neverland, London, Paris

Now say that I had 2 users, UserA and UserB, and that whay they individually was allowed to see was:

UserA: 
  Name: Peter Pan
  Locations: Neverland, London

UserB: 
  Name: Peter Pan
  Locations: London, Paris

Now I wish to allow both of them to search on Locations, however since UserB can't see that Peter Pan has been to Neveland, Searching on "Neverland" would not yeld Peter as a result to UserB, Visa-Versa with UserA and Paris, but both can see London...

The data I have to deal with is vastly more complex than that, bu the way these things are turned on and off are by what we call caveats, so to dive deeper into the above, the reason they see what they see could by example be that they have the rights to view data with the following caveats:

UserA: AAA, BBB
UserB: BBB, CCC

And because the location data entries for peter are tagged as:

Neverland - AAA
London - BBB
Paris - CCC

As an example...

I hope this sorts of outlines the situation good enough to at least start a discussion.

1. Replicate Model

Obviously I could properly separate all data entries up into the bits that make up a "document" instead of storing Peter Pan as one big document, I could fragment it out, but that would leave me with a situation where I could possibly get multiple hits on the same actual objects as I see it... It would also be allot of fields.

2. Multiple Documents

Alternatively I could store one document pr. restriction with just the data a for what a single caveat may give the rights to, again as far as I can tell this gives multiple hits and it also gives allot of "redundant" data.

3. Filtering by DataBase roundtrip

Lastly but not least I could perform the search ignoring caveats, and then rather than displaying the results directly from Lucene, I could let our DataAccess tier do the caveat filtering for me, that would add a round-trip to the database earlier than needed though.

Although the round-trip to the database might be the least of my concern here. There is also the fact. that Lucene would return hits that might not actually be hits when it comes to the search term, as the value generating that hit might not be visible to that user.

This also means the "number of results" might be off.

All in all, it wouldn't just be an extra database round-trip, we would have to also "redo" the filtering after that result had been pulled up.

---

I would hear if I could reach someone with more Lucene experience than my self to give some input if possible.

Thanks in advance.

Answer 1

If you can assign permissions by groups (ie "all users who cannot see trips to Neverland"), you could add a field (or fields depending on the complexity of your permissions) to each document that informs the UI to ignore all trips to Neverland.

If you cannot group permissions, it would be possible (if unwieldy in the presence of large numbers of users) to add permissions for each user to each document, then have the UI process those permissions appropriately. This would let you have separate permissions for each document for each user (similar to filesystem permissions).