Implement category-based permissioning for search results

Only see what you can see. Co-Authored-By: Saul S <sauls8t@users.noreply.github.com>
2025-08-02 20:15:26 +02:00 · 2018-06-22 17:01:26 +01:00 · 2018-06-22 17:01:26 +01:00 · 467acec3c4
commit 467acec3c4
parent ae50b889c5
5 changed files with 95 additions and 9 deletions
--- a/domain/search/mysql/store.go
+++ b/domain/search/mysql/store.go
@ -151,7 +151,7 @@ func (s Scope) DeleteContent(ctx domain.RequestContext, pageID string) (err erro
 }

 // Documents searches the documents that the client is allowed to see, using the keywords search string, then audits that search.
-// Visible documents include both those in the client's own organisation and those that are public, or whose visibility includes the client.
+// Visible documents include both those in the client's own organization and those that are public, or whose visibility includes the client.
 func (s Scope) Documents(ctx domain.RequestContext, q search.QueryOptions) (results []search.QueryResult, err error) {
 	q.Keywords = strings.TrimSpace(q.Keywords)
 	if len(q.Keywords) == 0 {
--- a/domain/search/search.go
+++ b/domain/search/search.go
@ -14,8 +14,10 @@ package search
 import (
 	"github.com/documize/community/domain"
 	"github.com/documize/community/model/attachment"
+	"github.com/documize/community/model/category"
 	"github.com/documize/community/model/doc"
 	"github.com/documize/community/model/page"
+	sm "github.com/documize/community/model/search"
 )

 // IndexDocument adds search indesd entries for document inserting title, tags and attachments as
@ -103,3 +105,34 @@ func (m *Indexer) DeleteContent(ctx domain.RequestContext, pageID string) {

 	ctx.Transaction.Commit()
 }
+
+// FilterCategoryProtected removes search results that cannot be seen by user
+// due to document cateogory viewing permissions.
+func FilterCategoryProtected(results []sm.QueryResult, cats []category.Category, members []category.Member) (filtered []sm.QueryResult) {
+	filtered = []sm.QueryResult{}
+
+	for _, result := range results {
+		hasCategory := false
+		canSeeCategory := false
+
+	OUTER:
+
+		for _, m := range members {
+			if m.DocumentID == result.DocumentID {
+				hasCategory = true
+				for _, cat := range cats {
+					if cat.RefID == m.CategoryID {
+						canSeeCategory = true
+						continue OUTER
+					}
+				}
+			}
+		}
+
+		if !hasCategory || canSeeCategory {
+			filtered = append(filtered, result)
+		}
+	}
+
+	return
+}