Yes, please document this for FCREPO-1008. It is a fine real-life example of in-search filtering. I will include your patch later.
On 26/10/2011, at 18.00, Swithun Crowe wrote:
> I've attached a patch which lets me use the value/s in the
> FEDORA_AUX_SUBJECT_ATTRIBUTES servlet attribute to refine queries.
> The extraction of the appropriate attribute values and their use in an
> in-search filter is probably quite specific to the archiving project I'm
> working on. But it should give an idea of how it can be done.
> In our archive, we will store objects related to many different projects.
> Each project has resources of 3 different types: data, source code and
> documentation. Different users will be allowed to see objects belonging to
> some or all of these different resource types for projects they are
> involved with.
> The Fedora PIDs are made up of 3 parts - a two part prefix and a UUID
> generated outside of Fedora. The prefix is made up of a project code and a
> resource type code, so a PID looks like this:
> Here is what the patch does:
> The HTTP request comes into RESTImpl.java, and is passed to the
> gfindObjects method. The FEDORA_AUX_SUBJECT_ATTRIBUTES attribute is a Map
> with String keys and Set<String> values. I'm interested in the fedoraRole
> key, and convert the Set of strings into an array of strings.
> This string array gets passed to the Config object's getOperationsImpl
> method, which passes it on to the GenericOperationsImpl object's init
> method. Here it is stored in a protected class member.
> OperationsImpl's gfindObjects method can then pass this on to
> rewriteQueryForInsearch method in the SearchResultFilteringDemoImpl
> Here, the values for fedoraRole are examined. If there are no roles, then
> the user shouldn't see anything. If one of the roles is 'administrator',
> then no extra filtering is needed, as they are allowed to see everything.
> Otherwise, each role is examined to see if it contains a _ (underscore).
> If it does, then the role value is composed of a project prefix and a
> project role suffix.
> One suffix is 'admin', which means that the user can see everything in a
> project. Another suffix is 'reader', which means they can see data
> resources. So, if a user has 'rps_admin' as a fedoraRole value, then
> 'PID:rps-*' is added to the query. If the user has 'rps_reader' as a
> fedoraRole, then 'PID:rps-data*' is added to the query. There is no need
> for an extra field(s) in the index. This mimics the effect of the XACML
> policies in Fedora.
> I haven't tried this yet with the LDAP filter that comes with
> fedora-server.jar, or the SSO filter that Adam and Scott have produced.
> But it works with the XML user file filter, and the Lucene engine.
> Shall I document this for FCREPO-1008?
> The University of St Andrews is a charity registered in Scotland: SC013532<attributes.patch><ATT00001.c><ATT00002.c>