rdm: define additional record permissions schema and logic #12
Conversation
fenekku
force-pushed
the
permissions_metadata
branch
from
9a95f8c to
9089664
Compare
fenekku
force-pushed
the
permissions_metadata
branch
from
9089664 to
d4cf887
Compare
fenekku
changed the title
There was a problem hiding this comment.
We need to be very careful (we implemented the same in ILS) and I would like to have a quick brainstorming around this (we will discuss with the other architects), because as you said we are introducing a mix of implicit/explicit permission.
Another small drawback is that when adding permissions in the record metadata, they are indexed in Elasticsearch and we are having some issues with that.
E.g. I have a record with:
permissions:
can_read: [{
2, 'person'
}]
...
all other fields of the record, the word `person` is not appearing in any field
...
And then the user searches for the text person, the record above will appear in the results, but the there is no record field having the text person.
To be discussed...
|
@ntarocco I had the same issue in Citadel Search (rebrand of CERN Search). At the moment (8 months ago) there was no way of removing a field form the search in ES (v6.2), maybe now there is one. The way I solved it was to replicate the behaviour of _access: explicit permissions here
_ data: all fields with content to be searchableAfterwards by using the ES python DSL, you can specify the field in which the query will be performed (https://github.com/elastic/elasticsearch-dsl-py/blob/master/elasticsearch_dsl/query.py#L12 through params to https://www.elastic.co/guide/en/elasticsearch/reference/current/query-dsl-query-string-query.html see "default_field"). However, I recall issues with booleans and dates, because they were not strings so I had to move them out of this default fields. From my perspective the tasks would be:
|
This is an extension to RFC #7 . To be verified by implementation work (inveniosoftware/invenio-records-permissions#16).