Administering apache solr search is set to 'administer site configuration'. But since this module requires the search module and it has a more define set of search access control, it should be using that instead. I think it should be set to
'access' => user_access('administer search'),

on line 18 and 24 of apachesolr.module.

CommentFileSizeAuthor
#15 access-299539-15.patch7.2 KBpwolanin
#13 access-299539-13.patch6.17 KBpwolanin
#9 access.patch354 byteskleung11
#2 adminsearch.patch1005 byteskleung11

Comments

JacobSingh’s picture

JacobSingh commented

Agreed. Can you submit a patch for this?

kleung11’s picture

kleung11 commented
StatusFileSize
new adminsearch.patch1005 bytes

Patch attached.

kleung11’s picture

kleung11 commented
Status: Active » Needs review
JacobSingh’s picture

JacobSingh commented
Status: Needs review » Patch (to be ported)

Hey folks,

I just committed this one because it was so trivial and obvious. Feel free to revert if there is any issue.

Thanks kleung!

robertdouglass’s picture

robertdouglass commented

I'd feel best if we ported things like this immediately.

JacobSingh’s picture

JacobSingh commented
Assigned: Unassigned » JacobSingh
JacobSingh’s picture

JacobSingh commented
Version: 5.x-1.0-alpha3 » 6.x-1.x-dev
Status: Patch (to be ported) » Fixed
Anonymous’s picture

Anonymous (not verified) commented
Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for two weeks with no activity.

kleung11’s picture

kleung11 commented
Version: 6.x-1.x-dev » 5.x-1.x-dev
Component: User interface » Code
Status: Closed (fixed) » Needs review
StatusFileSize
new access.patch354 bytes

apache delete index should also check "administer search" instead. Trivial patch included.

pwolanin’s picture

pwolanin commented

please post diffs in unified (-u) format

JacobSingh’s picture

JacobSingh commented

I think we decided to go back to "administer site configuration" for the following reasons:

1. We don't want to require the search module at some point (although we still do).

2. Creating more perms is a PITA for new users.

That being said, I can see a use case where someone at an org can modify boosting params, but cannot see everyone's social security #s. SO I'm actually in favor of doing this.

I'll make a patch, but what do people think?

a). use administer search (thereby requiring search module as long as we do this).

b). use a new permission like "administer apachesolr"

c). leave it as is.

Best,
Jacob

pwolanin’s picture

pwolanin commented

Given that we depend on the search module, we should probably use 'administer search' for most of this. Possibly "delete index" should still be limited?

pwolanin’s picture

pwolanin commented
Version: 5.x-1.x-dev » 6.x-1.x-dev
Category: bug » feature
StatusFileSize
new access-299539-13.patch6.17 KB
janusman’s picture

janusman commented
Status: Needs review » Needs work

Missed a line in apachesolr.admin.inc:

    // This form can't be seen by anyone without 'administer site configuration'

Otherwise, it works.

pwolanin’s picture

pwolanin commented
Status: Needs work » Fixed
StatusFileSize
new access-299539-15.patch7.2 KB

fixed code comment. Committing to 6.x

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.