apachesolr_search_custom_page_search_form_submit() kills all $_GET parameters if 'retain-filters' is not set!
It must only remove filters!

Comments

nick_vh’s picture

Could you give me an example of values that you are adding there and that cause problems?

I'd like to know if we should kill any other parameter also (such as fq)

nick_vh’s picture

Also, we have to do something like this, because otherwise user input might find it's way through the code and possibly do bad things. Can we do this with a little more control perhaps? Which value do you need to pass that is not a facet and can't happen anywhere else?

mkalkbrenner’s picture

Issue #502976: Other GET parameters ignored by Apache Solr Facet Blocks explains the problem. The issue has already been fixed in earlier versions.

Apache Solr Multilingual for example adds detach-auto-language-filter=1, the same way apachesolr adds retain-filters=1 when required.

mkalkbrenner’s picture

Stuff like paging still works with my patch applied.

nick_vh’s picture

should we have some variable that states which variables are allowed? If we don't - people can just add stuff randomly and it will cause problems in the array because it is not filtered out of it

mkalkbrenner’s picture

I think it has to be the other way round. apachesolr only has to grap and remove it's own stuff, but leave everything else added by users untouched during the form redirect.

If users want to add custom stuff that has to be handled by retain-filters, they have to add this using alter hooks.

nick_vh’s picture

I just see some problems in a link like this

search/site?a=a&b=b&c=c&d=d&e=e&f=f&...

We won't discard this information, but we won't use it either. It will take up useless space in the memory. Luckily the url can only go 4096 characters and we don't support POST arguments.

mkalkbrenner’s picture

It will take up useless space in the memory. Luckily the url can only go 4096 characters and we don't support POST arguments.

This problem is not specific for apachesolr. It's a common problem.
And the get parameters might already exist. The current implementation only deletes them and redirects.

Are there any other arguments against my patch?

nick_vh’s picture

I'm just seeing three entries in the module that could cause problems when we do this

search for : array_diff_key($_GET

I really think we should have some variable with allowed get parameters for solr. You could, as contrib module, add your param to this list and it would be accepted on all fronts

if we do this, we might want to retain all accepted parameters instead of only discarding 'f'

mkalkbrenner’s picture

OK, I'll accept this solution. Who will work on this patch?

mkalkbrenner’s picture

StatusFileSize
new970 bytes

Like discussed in our recent chat:

I inroduced a new variable 'apachesolr_search_protected_query_parameters' holding a list of all get parameters that should not be deleted if retain-filters is not set (see patch attached).

In apachesolr_multilingual.install I register our variable to be protected:

/**
 * Implements hook_enable().
 */
function apachesolr_multilingual_enable() {
  variable_set('apachesolr_search_protected_query_parameters',
    array_merge(
      variable_get('apachesolr_search_protected_query_parameters', array()),
      array('detach-auto-language-filter')
    )
  );
}

/**
 * Implements hook_disable().
 */
function apachesolr_multilingual_disable() {
  variable_set('apachesolr_search_protected_query_parameters',
    array_diff(
      variable_get('apachesolr_search_protected_query_parameters', array()),
      array('detach-auto-language-filter')
    )
  );
}
pwolanin’s picture

i like the original patch better, though we also need to remove 'fq', and need ideally to ask the adpater about the GET parameter, and not assume it's 'f'

pwolanin’s picture

StatusFileSize
new2.14 KB

Here's that with some code comment cleanup.

We should figure out how to actually pull the filter key out of facetapi - it's rather too buried, and in hindsight I'm not sure making that flexible was the right choice.

mkalkbrenner’s picture

Status: Needs review » Reviewed & tested by the community

I would like to see the last patch to be committed. That's the solution I prefered when starting the issue and it reduces code in apachesolr_multilingual.

// We may also have filters added by facet API module. The 'f'
// is determined by variable FacetapiUrlProcessor::$filterKey. Hard
// coded here to avoid extra class loading.
if (!empty($_GET['f']) && is_array($_GET['f'])) {
...

Having this comment in the code is OK for now. From my point view, dealing with FacetapiUrlProcessor::$filterKey is a different issue.

pwolanin’s picture

Yes, there is no easy way to get the value at the point when we need it, so I think we have to leave it hard-coded for now.

cpliakas’s picture

Apache Solr Search Integration should be responsible for setting this path anyways. The only issue will be with Facet API Pretty Paths which overrides the adapter, but maybe that can be tackled later. I believe it defaults to "f" as well for the remaining filters.

pwolanin’s picture

Version: 7.x-1.x-dev » 6.x-3.x-dev
Status: Reviewed & tested by the community » Patch (to be ported)

committed - needs backport

pwolanin’s picture

Status: Patch (to be ported) » Fixed

applied and commited

pwolanin’s picture

applied and commited

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.