Security On Certain Results

For our main product index, we have an attribute that lists User Group IDs which have access to a specific result. We do this to restrict some products to only users of specific groups. The attribute is in the form of a comma separated list of Group IDs. “101,104,110” as an example. If the attribute is blank, that product is accessible to all users.

For each user searching on our site, we know the list of groups that user is in. It takes the same format as the attribute above. “101,102,110,116”. That means that they have access to products which are in groups 101, 102, 110, or 116.

Is there a way to pass the users security groups as part of a filter to ensure that if a result contains a access list, we only display to users who have at least one of the elements of the access list in their groups? If the user does not have access to a specific result due to the security groups that product belongs to, we don’t want to display it in the results. But if the result does not contain an access list at all, it is displayed since it is accessible to any user searching.

  1. If a specific results security list is empty, display it.
  2. If a specific result’s security list contains at least one element that is in the user’s security list, display it.
  3. If a specific result’s security list contains zero elements which are in the user’s security list, don’t display it.
  4. As a generalized rule, if the user’s security group list is empty, don’t display any results that have a security attribute (same as #3, but simplified for the empty user security group edge case)

I hope this makes sense and there is an easy to way do this!

Hello RyanBorn,

Thank you for reaching out.

What you describe can be achieved with Algolia filtering logic at query time using the filters parameter.

To achieve all the use-cases you described, you could organise your records as follow:
(Don’t forget to configure your attributesForFaceting)

    "objectID": "A",
    "permissions": "all"
    "objectID": "B",
    "permissions": "100"
    "objectID": "C",
    "permissions": ["101", "102"]

To get results with one matching permissions

"filters" : "permissions:100 OR permissions:all"

[A, B] will match

Similar as above, but with several matching permission

Disjunctive: Either will do
"filters" : "permissions:100 OR permissions:101 OR permissions:all"

[A, B, C] will match

Conjunctive: Both are mandatory
"filters" : "permissions:100 AND permissions:102 OR permissions:all"

[A] will match

If a user doesn’t have any permission, pass the “none” filter instead:

"filters" : "permissions:none OR permissions:all"

[A] will match

You’ll still get the results with no permission restriction, but no other records will match the “none” filter.

In conclusion, you can achieve all of the listed use cases. Let us know if you have further questions.

Best regards