SharePoint Dev Center >
SharePoint 2010 FAST Search: Displaying records a user does not have access to

Answered SharePoint 2010 FAST Search: Displaying records a user does not have access to

  • Thursday, April 05, 2012 3:05 AM
     
      Has Code
    Sign In to Vote
    0

    Hi,

    First of all, I know the title sounds strange, but it is a valid and qualified requirement we have from one of our customers. What we hope to do is to show them just the record name and location (read only) of all records that were not displayed in their search results due to no access.

    Now, the first way we wanted to do this was by calling the FAST search web service directly using the search API. However, we wanted this to work seamlessly with the existing fast search centre, i.e. they can still use the existing search box, advanced search, etc. As we understand it, the API may not integrate well with URL based search queries unless we convert the query to FQL. We would rather not go down this path if there is an alternative such as the below;

    We had an idea to extend the CoreResultsWebPart component to simply elevate the users privilages to an admin account temporarily while the search is executed. After decompiling and looking at the code for CoreResultsWebPart, I thought this would be super easy with the following code;

    public class VisualWebPart1 : Microsoft.Office.Server.Search.WebControls.CoreResultsWebPart
    {
        protected override void ConfigureDataSourceProperties()
        {
            base.ConfigureDataSourceProperties();

            CoreResultsDatasource ds = DataSource as CoreResultsDatasource;

            if (ds.UserCredentials.ContainsKey(ds.Location))
                ds.UserCredentials.Remove(ds.Location);

            ds.UserCredentials.Add(ds.Location, new NetworkCredential("User", "Password", "Domain"));
        }
    }

    However, we were mistaken, this doesn't work at all. It's strange as looking through the code for CoreResultsWebPart, I don't see any other access control mechanism, what I mean is, I don't see anywhere where the user credentials are being handled except here in the data source (UserCredentials.) I'm sure the CoreResultsWebpart must be making a direct call to the web service but I have no idea where else the credentials are passed.

    Any help would be greatly appreciated before we start looking at simply creating a custom web part. Even if it's to tell me we're on the wrong path!

    Thanks!

    Adrian


    • Edited by littleade Thursday, April 05, 2012 8:36 AM
    •  
     

All Replies

  • Thursday, April 05, 2012 9:33 AM
     
      Has Code
    Sign In to Vote
    0

    To perform a search operation you need to execute the search by an account that has access to all items in the searchengine.

    To perform a search in SharePoint you have to impersonate the user that you want to use to execute the search operation.

    This is how you can impersonate:

    string siteStr = "http://mysharepointsite/";
 
//we just need to get a handle to the site for us
//to get the system account user token
SPSite tempSite = new SPSite(siteStr);
 
SPUserToken systoken = tempSite.SystemAccount.UserToken;
 
using (SPSite site = new SPSite(siteStr, systoken))
{
   using (SPWeb web = site.OpenWeb())
   {
       //right now, logged in as Site System Account
       Console.WriteLine("Currently logged in as: " +
                        web.CurrentUser.ToString());
 
       //add your code here
   }
}
    This code is copied from this site.

    http://www.arnoldboersma.nl

     
  • Monday, April 09, 2012 4:05 AM
     
     
    Sign In to Vote
    0

    Hi Arnold,

    Appreciate the reply. However, this will not solve the problem. I'm aware of impersonation via the above method, but this method is not relevant in the context I have provided. What I need, as outlined in my initial question, is the ability to run an enterprise level search (from search centre) using elevated privileges by overriding one of the method implementations from the core results web part provided OOB in the default FAST search centre. As I mentioned, if this cannot be done we will be forced to create a custom web part.

    Thanks,

    Adrian

     
  • Monday, April 09, 2012 9:25 AM
     
     Answered
    Sign In to Vote
    1

    Hello Adrian,

    This is what I found in 'FASTSearchServer2010_SearchEvalGuide':

    Custom security trimming

    SharePoint Server 2010 provides support for custom security trimming of search results through a SecurityTrimmer interface (ISecurityTrimmer2). FAST Search Server 2010 for SharePoint does not support this interface for result-side custom security trimming. All security trimming is performed as part of the query matching, based on ACL information that is stored in the index. Because FAST Search Server 2010 for SharePoint provides query refinement based on all items that match a query, this ensures that refinement counts only reflect the items that the user is entitled to see.

    One way to customize security trimming is to write custom claims providers to add principals (groups/users) from other domains into the query rewrite. Another option is to write custom crawlers that provide custom ACL information to the index.

    I think you will need to create your own webpart for your requirement.

    http://www.arnoldboersma.nl

     
  • Monday, April 09, 2012 9:37 AM
     
     
    Sign In to Vote
    0

    Hi Arnold,

    Thanks for the information. So it looks like the alternative approach is not documented, it's quite funny because all we really need to know if how the credentials are passed from the CoreResultsWebPart to the search API.  

    Looks like we will have to go down the route of calling the FAST search service directly in a custom web part. 

    Many Thanks,

    Adrian