Ask Questions and Find Answers
Important:
Ask is now read-only. You can review any existing questions and answers, but not add anything new.
But - don't panic! While ask is no more, we've replaced it with discuss - the new Liferay Discussion Forum! Read more here here or just visit the site here:
discuss.liferay.com
Search Engine - handling permissions
In 6.2 I found the reason of slow search in our case is not Lucene, but subsequent permission checks (our permission logic is quite complex).
For 7.x, after migrating, I planned to simplify that permission logic to be even able to pass all the necessary into Search Engine directly so no permission checking is needed afterwards.
But reading 7.1 documentation I am discovering completely different world.
Especially this is quite unclear:
Does it mean that permission checks cannot be disabled? Or is that permission check performed directly by the search engine, not afterwards by Liferay Engine?
Has anybody some insights how search results permission checks are done in the context of the new Search API?
Thanks,
Jan
For 7.x, after migrating, I planned to simplify that permission logic to be even able to pass all the necessary into Search Engine directly so no permission checking is needed afterwards.
But reading 7.1 documentation I am discovering completely different world.
Especially this is quite unclear:
In previous versions of Liferay Portal, search was only permissions aware (indexed with the entity’s permissions and searched with those permissions intact) if the application developer specified this line in thehttps://dev.liferay.com/es/develop/tutorials/-/knowledge_base/7-1/indexing-framework#permissions-aware-searching-and-indexingclass’s constructor:IndexerNow, search is permissions aware by default if the new permissions approach, as described in these tutorials, is implemented for an application.[code]setPermissionAware(true);
Does it mean that permission checks cannot be disabled? Or is that permission check performed directly by the search engine, not afterwards by Liferay Engine?
Has anybody some insights how search results permission checks are done in the context of the new Search API?
Thanks,
Jan
Hi Jan,
Indexer framework has changed since 7.1 and now instead of having a big *Indexer class that extends BaseIndexer, you have to create several smaller classes as explained here:
With this new approach, setPermissionAware(true/false) is not longer necessary as it relies in the new permissions framework explained here:
It is not necessary to define "permission aware", as index/search behavior is automatic: in case you define a ModelResourcePermission service for your entity, permission info will be used during indexation and search.
In case ModelResourcePermission service doesn't exists, it won't be applied. See:
If you consider all this stuff is very complicated, for now you can still creating your Indexer class extending BaseIndexer.java as it is still supported, but sooner or later this kind of Indexers will be deprecated and removed.
Regards,
Jorge
Indexer framework has changed since 7.1 and now instead of having a big *Indexer class that extends BaseIndexer, you have to create several smaller classes as explained here:
With this new approach, setPermissionAware(true/false) is not longer necessary as it relies in the new permissions framework explained here:
It is not necessary to define "permission aware", as index/search behavior is automatic: in case you define a ModelResourcePermission service for your entity, permission info will be used during indexation and search.
In case ModelResourcePermission service doesn't exists, it won't be applied. See:
- DefaultIndexer.isPermissionAware => https://github.com/liferay/liferay-portal/blob/7.1.x/modules/apps/portal-search/portal-search/src/main/java/com/liferay/portal/search/internal/indexer/DefaultIndexer.java#L217-L219
- IndexerPermissionPostFilterImpl => https://github.com/liferay/liferay-portal/blob/7.1.x/modules/apps/portal-search/portal-search/src/main/java/com/liferay/portal/search/internal/indexer/IndexerPermissionPostFilterImpl.java#L62-L67
- IndexerPermissionPostFilterImpl is initialize in ModelSearchConfiguratorServiceTrackerCustomizer, there modelResourcePermissionSupplier is set. You can see modelResourcePermissionSupplier is only set in case ModelResourcePermission exists.
- ModelSearchConfiguratorServiceTrackerCustomizer => https://github.com/liferay/liferay-portal/blob/7.1.x/modules/apps/portal-search/portal-search/src/main/java/com/liferay/portal/search/internal/indexer/ModelSearchConfiguratorServiceTrackerCustomizer.java#L237-L243.
If you consider all this stuff is very complicated, for now you can still creating your Indexer class extending BaseIndexer.java as it is still supported, but sooner or later this kind of Indexers will be deprecated and removed.
Regards,
Jorge
Copyright © 2025 Liferay, Inc
• Privacy Policy
Powered by Liferay™