Search lists private fields

CCK Field perms can't help you with this unfortunately. It was largely aimed at solving access to editing content. Because of how search works, this module isn't able to limit what is indexed by search. What we need is a CCK level solution....

I've created a patch that can be used to limit the core search indexing to only public view fields. 'Public' meaning the view seen by anonymous users (user=0).

The patch is for 1.10.

To make it work, you also need to make a change to the core node.module in order to signal the 'build mode' that is used by the 'view' nodeapi call. See this other issue raise for the search module - http://drupal.org/node/152493. I'll post the node.module patch there shortly.

To test it out, make sure you go to admin/settings/search and select "re-index site". I also manually delete all my search database tables to be sure.

Does the search indexer run by cron act as a logged in user?
I was quite sure that the indexer ran as an anonymous user.
If it does, it should be enough to re-index your site after you have enabled and configured the cck_field_perms module

suscribing

I don't like the idea of using a core hack for this, so let's try this approach instead.

The challenge with this issue is figuring out when you're in the middle of a search reindexing, vs. when you're just viewing the node. When you're viewing the node, you want to show that content for all users with permissions. But when you're indexing, you don't want that stuff to appear for anyone, ever. Otherwise you end up with anonymous users being able to search for "Forbidden phrase" and getting back results (even if the actual text is hidden).

Come with me, if you will, on a tour of http://api.drupal.org/api/function/node_update_index/5...

hook_nodeapi has a nice hook called 'update index' called at the very end here. The logical developer would say, "Great! update index! That's the perfect hook to implement, since the search index is being updated!" However, the logical developer would be FLAT OUT WRONG because all hook 'update index' lets you do is append stuff to the returned text. Blah.

So instead, you need to go back a couple paces to where hook_nodeapi op alter is called, because the $node->body and $node->title at that point are what's used in the search index.

I'm curious for people to try this, as I'm not sure what other places in contrib are calling hook_nodeapi op alter. And for that matter, I'm not 100% clear on why this works even in core, since hook_nodeapi op alter is called right at the end of node_view, as well, just before the node's passed to the theme layer. But I tested it under the following conditions:

1. As admin, add a CCK field "hidden" to page story type.
2. Add a page and put the phrase "YOU CANT SEE ME" in the field.
3. Verify that you can see it.
4. Run cron.php as admin.
5. Log out.
6. Search for "CANT"
7. Notice that no results are returned!
8. Login as a user with access to view the field.
9. See that you can continue to view it.

Oh. The good news is that in Drupal 6, doing something like this would be a heck of a lot easier, because you get a nice $node->build_mode = NODE_BUILD_SEARCH_INDEX; flag. :)