Search API filter by user permissions

Is there a way to restrict the content of the Telligent Search API to only what the requestor can access inside the Community portal?

From the documentation page, the search API for Telligent looks to be a thin shim for the Solr search backend. As a a result, all results are exposed for all users even if the user cannot access the provide link.

What I'm looking for example: EmployeeA is a manager and has access to the manageronly blog. If a server requested a search (using the Telligent search API) on his behalf, he could see results from manageronly.

However, EmployeeB is not a manager. If the server requested the same search on his behalf, he would be unable to see results from manageronly.

  

Parents
  • It's correct that Solr is used in the backend, but search results provided through the API are already permission trimmed to the user according to roles stored with the Solr documents when Community content is indexed. Your example use case should work. Were you experiencing otherwise? If so, is the job server (and the search index job) running?

  • Hey Michael,

    Is it trimmed via the API Key? In our cause, Individual Contributors are seeing blog posts from a group that is only for managers. They cannot access the blog via the link, but they are able to see the blog title and most of the body. 

    I should clarify that I am specifically looking at the Search REST API 

     List Search Result REST Endpoint 

    By default, there are no filters and I don't see how I can filter based on a username.

  • Yes, this should be possible. The List Search Results REST endpoint, like other REST endpoints, respects the permissions of the authenticated user performing the request. Since you mention using API keys, are the searches being performed using the API key of a user who does have permission to view the posts, or through the accessing contributors who do not? If it's using a shared key of a user with elevated permissions, that would account for the behavior you're seeing.

    Are these REST requests being performed in the context of Community's own user interface? If so, you don't need to worry about authentication if you use the client-side REST API. It will automatically authenticate as the accessing user, so URLS of search results returned from REST would be navigable by the same user who performed the REST request.

     

    URLs POST api.ashx/v2/batch.xml (or .json) Will execute a series a rest requests in batch with a maximum of 100. Request Parameters Name Type Description Location Required Default Options _REQUEST_X_URL…
    Last edited in Verint Community 12.x > API Documentation
     

     

    jQuery.telligent.evolution REST helpers This module exposes helper methods to assist with performing ajax requests against the REST API. They are essentially thin wrappers over jQuery.ajax() , and all…
    Last edited in Verint Community 12.x > API Documentation
      

Reply
  • Yes, this should be possible. The List Search Results REST endpoint, like other REST endpoints, respects the permissions of the authenticated user performing the request. Since you mention using API keys, are the searches being performed using the API key of a user who does have permission to view the posts, or through the accessing contributors who do not? If it's using a shared key of a user with elevated permissions, that would account for the behavior you're seeing.

    Are these REST requests being performed in the context of Community's own user interface? If so, you don't need to worry about authentication if you use the client-side REST API. It will automatically authenticate as the accessing user, so URLS of search results returned from REST would be navigable by the same user who performed the REST request.

     

    URLs POST api.ashx/v2/batch.xml (or .json) Will execute a series a rest requests in batch with a maximum of 100. Request Parameters Name Type Description Location Required Default Options _REQUEST_X_URL…
    Last edited in Verint Community 12.x > API Documentation
     

     

    jQuery.telligent.evolution REST helpers This module exposes helper methods to assist with performing ajax requests against the REST API. They are essentially thin wrappers over jQuery.ajax() , and all…
    Last edited in Verint Community 12.x > API Documentation
      

Children
No Data