Custom ComputedIndexField
How to create a custom ComputedIndexField in Sitecore can be found on several other location on the net. But what if you want to check the security of your item when populating this field?
A simple function could check if your item was readable by an anonymous user:
const string anonymous = @"extranet\Anonymous";
var account = Account.FromName(anonymous, AccountType.User);
return AuthorizationManager.IsAllowed(item, AccessRight.ItemRead, account);
This will work in a normal environment, but if you try this during population of your ComputedIndexField you will always get true. Why?
SitecoreItemCrawler
The responsible crawler - Sitecore.ContentSearch.SitecoreItemCrawler - is designed in such a way to wrap the calls for your ComputedIndexField in a SecurityDisabler. So, the true value in our security check is by design.
And maybe for the best.. it seems like a much better approach to perform security checks indexed results are being accessed. And how do I do this?
Security and index results
Well, you don't. Sitecore does this for you. When you query your index, Sitecore has a Security check build in to the pipeline: <processor type="Sitecore.Pipelines.Search.SecurityResolver, Sitecore.Kernel" /> . This checks the security of the item involved, not of any related items that you might have used to fill your ComputedIndexField. If you also want a security check on those, write a processor to extend the pipeline :)
No comments:
Post a Comment