Currently, there is only a single permission for using autocomplete on all searches. This can lead to security concerns, as autocomplete paths (delivering the autocomplete suggestions as JSON) are not secured by any other means. If suggestions for some searches can contain sensitive information, all users with search autocomplete permission could theoretically see these.

The attached patch (in comment 1) introduces finer-grained permissions, with one for each search for which autocomplete settings exist (i.e., which were previously enabled). This should catch most of the cases.
A note in the admin UI and an update function are also included.

CommentFileSizeAuthor
#1 1803010--per-search_permissions-1.patch5.56 KBdrunken monkey

Comments

drunken monkey’s picture

drunken monkey
he/him
Primary language German
Location Vienna, Austria
commented
Status: Active » Needs review
StatusFileSize
new 1803010--per-search_permissions-1.patch5.56 KB
mh86’s picture

mh86 commented
Status: Needs review » Needs work

Tested the patch: update function and access callback work well, and from a security point of view, the addition of separate permissions is absolutely necessary.

One small note, looks like this function is missing documentation ;-) Everything else is RTBC, in my opinion.

+++ b/search_api_autocomplete.module
@@ -127,11 +128,18 @@ function search_api_autocomplete_entity_info() {
+function search_api_autocomplete_access(SearchApiAutocompleteSearch $search) {
+  return $search->enabled && user_access('use search_api_autocomplete for ' . $search->machine_name) && $search->supportsAutocompletion();
 }
drunken monkey’s picture

drunken monkey
he/him
Primary language German
Location Vienna, Austria
commented
Status: Needs work » Fixed

Yes, I already spotted that but found it unnecessary to submit a new patch, just planned to fix it before committing.
Thanks for testing!
Added documentation and committed.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.