[TYPO3-core] Problem regarding crawler, indexed_search and fe_groups access to search results

[Patrick Schriner]

Hi Luc,

if you want a simple solution (and have simple access rights) you can do  
the following:

Patch checkResume to only respect the rootline usergroups; Given the  
pageId of the current row, fetch the rootline for this page and check at  
each node whether your searching user is eligible to view that page.

This will only work if you don't restrict access rights down to content  
elements (but if you don't show a detailed description, even that might be  
ok - the user will have to visit the page anyway).

If you want to keep your index tighter (and don't have access restricted  
content elements) you can add code to have indexed_search not add new  
index entries when index data for a page exists with a different gr_list.

Creating index data for > 10 usergroups (and the resulting combinations)  
is also a very sure way to kill a slow server. Crawling all pages several  
times is not fast.

Regards,
Patrick

On Wed, 08 Oct 2014 10:44:52 +0200, Luc Muller <l.nospam.muller at ameos.com>  
wrote:

> Hello Everybody.
>
> I have a little question / problem regarding crawler and indexed_search  
> and usergroups access.
>
> Short : When a user has a different fe_groups configuration than the one  
> configured when crawling he can't get search results in indexed search  
> even if he is part of the fe_group configured for crawling.
>
> Well here's a detailed case.
>
> let's say we have 2 fe_groups in the website
>
> uid 10 : Basic FrontedUser
> uid 20 : Communication
>
> My crawler config says :
>
> Crawl with FE usergroups : 10
>
> Thus resulting in having the table 'index_grlist' filled with 0,-2,10 in  
> the field gr_list.
>
> let's now assume we have two fe_users :
>
> user_one has fe_groups : 10
> user_two has fe_groups : 10,20
>
> Then when performing a search in indexed_search a check is made to  
> verify that we can have access to the found results.
>
> that's going on in the file :  
> typo3/sysext/indexed_search/Classes/Controller/SearchFormController.php
>
> the check is made in 2 times in the function checkResume at line 1199
>
> at line 1225 we have : if ((string)$row['gr_list'] !==  
> (string)$GLOBALS['TSFE']->gr_list) {
>
> thus meaning that a check is made if the TSFE->gr_list match exactly the  
> gr_list of indexed data
>
> in case of user_one we have $GLOBALS['TSFE']->gr_list = 0,-2,10
> 	=> EXACT MATCH : display the results
> in case of user_two we have $GLOBALS['TSFE']->gr_list = 0,-2,10,20
> 	=> NO MATCH continue the code
>
> Then we arrive at line 1228 where we find this query performed to check  
> if the user can have access to the found results
>
> $res = $GLOBALS['TYPO3_DB']->exec_SELECTquery('phash', 'index_grlist',  
> 'phash=' . (int)$row['phash'] . ' AND gr_list=' .  
> $GLOBALS['TYPO3_DB']->fullQuoteStr($GLOBALS['TSFE']->gr_list,  
> 'index_grlist'));
>
> and this part of the query make an exact match of the gr_list in the  
> data with the gr_list of TSFE
>
> AND gr_list=' .  
> $GLOBALS['TYPO3_DB']->fullQuoteStr($GLOBALS['TSFE']->gr_list,  
> 'index_grlist')
>
> so in case of my 'user_two' this part of the query would look like : AND  
> gr_list='0,-2,10,20'
>
> this wont match de gr_list in index_grlist and my user won't access the  
> the search results even if he belongs to a usergroup that is configured  
> to be crawled.
>
> So, is anyone kind enough to explain me where I am missing anything ?
>
> Or is there such a bug ?
>
> In my opinion the gr_list field index_grlist table should only contain  
> the fe_groups configured for crawling the pages with crawler. On the  
> other side, indexed search should perform a check if he can match one of  
> the ids of $GLOBALS['TSFE']->gr_list in the field gr_list of the table  
> index_grlist.
>
> Thanks a lot for you support on this point
>
> Cheers,
>
> Luc Muller


--