RE: Search Engine - handling permissions

2019-04-22T09:02:02Z

Hi Jan,

Indexer framework has changed since 7.1 and now instead of having a big *Indexer class that extends BaseIndexer, you have to create several smaller classes as explained here:

https://dev.liferay.com/es/develop/tutorials/-/knowledge_base/7-1/indexing-framework#mapping-the-composite-search-and-indexing-framework-to-indexer-baseindexer-

With this new approach, setPermissionAware(true/false) is not longer necessary as it relies in the new permissions framework explained here:

https://dev.liferay.com/es/develop/tutorials/-/knowledge_base/7-1/registering-permissions#registering-entities-to-the-permissions-service

It is not necessary to define "permission aware", as index/search behavior is automatic: in case you define a ModelResourcePermission service for your entity, permission info will be used during indexation and search.

In case ModelResourcePermission service doesn't exists, it won't be applied. See:

DefaultIndexer.isPermissionAware => https://github.com/liferay/liferay-portal/blob/7.1.x/modules/apps/portal-search/portal-search/src/main/java/com/liferay/portal/search/internal/indexer/DefaultIndexer.java#L217-L219
IndexerPermissionPostFilterImpl => https://github.com/liferay/liferay-portal/blob/7.1.x/modules/apps/portal-search/portal-search/src/main/java/com/liferay/portal/search/internal/indexer/IndexerPermissionPostFilterImpl.java#L62-L67
IndexerPermissionPostFilterImpl is initialize in ModelSearchConfiguratorServiceTrackerCustomizer, there modelResourcePermissionSupplier is set. You can see modelResourcePermissionSupplier is only set in case ModelResourcePermission exists.
ModelSearchConfiguratorServiceTrackerCustomizer => https://github.com/liferay/liferay-portal/blob/7.1 .x/modules/apps/portal-search/portal-search/src/main/java/com/liferay/portal/search/internal/indexer/ModelSearchConfiguratorServiceTrackerCustomizer.java#L237-L243.

If you consider all this stuff is very complicated, for now you can still creating your Indexer class extending BaseIndexer.java as it is still supported, but sooner or later this kind of Indexers will be deprecated and removed.

Regards,
Jorge

Search Engine - handling permissions

2019-04-17T15:03:33Z

In 6.2 I found the reason of slow search in our case is not Lucene, but subsequent permission checks (our permission logic is quite complex).

For 7.x, after migrating, I planned to simplify that permission logic to be even able to pass all the necessary into Search Engine directly so no permission checking is needed afterwards.

But reading 7.1 documentation I am discovering completely different world.

Especially this is quite unclear:

In previous versions of Liferay Portal, search was only permissions aware (indexed with the entity’s permissions and searched with those permissions intact) if the application developer specified this line in the
Indexer
class’s constructor:
[code]setPermissionAware(true);
Now, search is permissions aware by default if the new permissions approach, as described in these tutorials, is implemented for an application.

https://dev.liferay.com/es/develop/tutorials/-/knowledge_base/7-1/indexing-framework#permissions-aware-searching-and-indexing

Does it mean that permission checks cannot be disabled? Or is that permission check performed directly by the search engine, not afterwards by Liferay Engine?

Has anybody some insights how search results permission checks are done in the context of the new Search API?

Thanks,

Jan