[Xapian-tickets] [Xapian] #632: ACL support for omindex

Xapian nobody at xapian.org
Sat Mar 22 20:13:25 GMT 2014 

#632: ACL support for omindex
-------------------------+-------------------------
 Reporter:  egarette     |             Owner:  olly
     Type:  enhancement  |            Status:  new
 Priority:  normal       |         Milestone:
Component:  Other        |           Version:
 Severity:  normal       |        Resolution:
 Keywords:               |        Blocked By:
 Blocking:               |  Operating System:  All
-------------------------+-------------------------
\
\
\
\
\
\

Comment (by egarette):

 Replying to [comment:1 olly]:
 > You seem to have removed the code which suppresses adding I<user> and
 I@<group> terms when the file is world-readable (and so has an I* term).
 What's the reasoning behind that?
 >
 > I don't understand the logic for adding O and G prefixed terms from
 ACLs.  These are meant to indicate which user and group '''own''' the
 file, so you can search for "all files owned by X".
 >
 > I don't understand how your patch handles an ACL saying who '''can't'''
 read a file.  You need to add V prefixed terms for those.

 I've remove this code because it's same problem as group's right describe
 here : http://lists.xapian.org/pipermail/xapian-
 discuss/2013-October/009024.html.
 The problem arrive when you have an ACL like this:

 {{{
 $ getfacl file1.txt
 # file: file1.txt
 # owner: root
 # group: root
 user::rw-
 user:user1:---
 user:user2:r--
 group::r--
 mask::r--
 other::r--

 $ delve -r 1 ../db/
 Term List for record #1: D20140226 Etxt Ffile1 Groot I#root I* I at root
 I at user2 M201402 Oroot Ouser1 Ouser2 P/ Ttext/plain U/file1.txt Y2014
 ZFfile1 Zappl Zeat Zi Zlike Zto apples eat i like to
 }}}

 {{{
 $ getfacl file2.txt
 # file: file2.txt
 # owner: root
 # group: root
 user::rw-
 group::r--
 group:user1:---
 group:user2:r--
 mask::r--
 other::r--

 $ delve -r 4 ../db/
 Term List for record #4: D20140226 Etxt Ffile2 Groot Guser1 Guser2 I#root
 I#user2 I* I at root M201402 Oroot P/ Ttext/plain U/file2.txt Y2014 ZFfile2
 Zeat Zhoney Zi Zlike Zto eat honey i like to
 }}}

 {{{
 $ getfacl file3.txt
 # file: file3.txt
 # owner: root
 # group: root
 user::rw-
 group::r--
 group:user1:r--
 mask::r--
 other::r--

 $ delve -r 3 ../db/
 Term List for record #3: D20140226 Etxt Ffile3 Groot Guser1 I#root I#user1
 I* I at root M201402 Oroot P/ Ttext/plain U/file3.txt Y2014 ZFfile3 Zchees
 Zeat Zi Zlike Zto cheese eat i like to
 }}}

 {{{
 $ getfacl file4.txt
 # file: file4.txt
 # owner: root
 # group: root
 user::rw-
 group::r--
 other::r--

 $ delve -r 2 ../db/
 Term List for record #2: D20140226 Etxt Ffile4 Groot I#root I* I at root
 M201402 Oroot P/ Ttext/plain U/file4.txt Y2014 ZFfile4 Zeat Zi Zlike
 Zmushroom Zto eat i like mushrooms to
 }}}

 {{{
 $ getfacl file5.txt
 # file: file5.txt
 # owner: root
 # group: root
 user::rw-
 group::r--
 other::---

 $ delve -r 5 ../db/
 Term List for record #5: D20140226 Etxt Ffile5 Groot I#root I at root M201402
 Oroot P/ Ttext/plain U/file5.txt Y2014 ZFfile5 Zeat Zi Zlike Zmushroom Zto
 eat i like mushrooms to
 }}}

 Assuming we have two users:

 {{{
 $ id user1
 uid=1001(user1) gid=1001(user1) groupes=1001(user1),1000(user)
 $ id user2
 uid=1002(user2) gid=1002(user2) groupes=1002(user2),1000(user)
 }}}


 user1 can only read file3.txt and file4.txt
 user2 can read file1.txt, file2.txt, file3.txt and file4.txt

 To get files with write restrinction:

 for user1: eat AND (write:@user1 OR ( ( write:#user OR write:#user1 ) NOT
 user:user1 ) OR ( write:* NOT user:user1 NOT group:user NOT group:user1) )

 {{{
 Parsed query is: Xapian::Query((Zeat:(pos=1) AND (0 * I at user1 OR ((0 *
 I#user OR 0 * I#user1) AND_NOT 0 * Ouser1) OR (((0 * I* AND_NOT 0 *
 Ouser1) AND_NOT 0 * Guser) AND_NOT 0 * Guser1))))

 2 results found:
 1: 100% docid=4 [url=/file4.txt
 sample=I like to eat mushrooms
 type=text/plain
 modtime=1393396086
 size=24]

 2: 100% docid=6 [url=/file3.txt
 sample=I like to eat cheese
 type=text/plain
 modtime=1393395683
 size=21]
 }}}


 for user2: eat AND (write:@user2 OR ( ( write:#user OR write:#user2 ) NOT
 user:user2 ) OR ( write:* NOT user:user2 NOT group:user NOT group:user2) )


 {{{
 Parsed query is: Xapian::Query((Zeat:(pos=1) AND (0 * I at user2 OR ((0 *
 I#user OR 0 * I#user2) AND_NOT 0 * Ouser2) OR (((0 * I* AND_NOT 0 *
 Ouser2) AND_NOT 0 * Guser) AND_NOT 0 * Guser2))))

 4 results found:
 1: 100% docid=4 [url=/file4.txt
 sample=I like to eat mushrooms
 type=text/plain
 modtime=1393396086
 size=24]

 2: 100% docid=2 [url=/file1.txt
 sample=I like to eat apples
 type=text/plain
 modtime=1393388770
 size=21]

 3: 100% docid=6 [url=/file3.txt
 sample=I like to eat cheese
 type=text/plain
 modtime=1393395683
 size=21]

 4: 100% docid=8 [url=/file2.txt
 sample=I like to eat honey
 type=text/plain
 modtime=1393391391
 size=20]
 }}}
\
\
\

--
Ticket URL: <http://trac.xapian.org/ticket/632#comment:3>
Xapian <http://xapian.org/>
Xapian

More information about the Xapian-tickets mailing list