Boolean expression Lock Strings (secBoolExpr DLS plugin)
Overview
A DLS plugin which resolves a boolean expression (lock string) on a document against user's keys where those values define what is true.
For example the lock string on a document could be
AUTHOR|EDITOR
And so the user would need to have either AUTHOR
or EDITOR
as values within their user keys. For example if the user had user keys:
collection_name;AUTHOR,collection_name;VIEWER
Then that user would have access to the above document.
When evaluating an expression all values the user has are set to true
while all missing values are set to false, for the above example it would become:
true|false
Which evaluates to true.
Enabling the Plugin
To enable the plugin set in collection.cfg
security.earlybinding.locks-keys-matcher.name=secBoolExpr
and set
-lock_string_mod_mode=raw
on the indexer.
For example in collection.cfg:
indexer_options=-lock_string_mod_mode=raw
Operators
This plugin supports the following logical operators ordered in lowest to highest precedence:
- or: can be represented as 'OR', '|' and ','.
- and: can be represented as 'AND', '.' and '&'.
- not: can be represented as 'NOT', '!', '-'
- (): can be represented as '(' and ')'.
Operator types can be mixed in a single lock string, the follow are a valid Lock Strings for this plugin:
a OR b | c , d
NOT!-a
a AND b . c & d
Word operators are case sensitive and are currently are only understood in their upper case form.
Values
Values are case sensitive non-zero ASCII strings consisting of the following characters:
- 0-9
- a-z
- A-Z
- _
and must not be any operator including
NOT
,OR
,AND
. Additionally values must not be the lowercase or any case form any operator. For example, values should not beand
,And
,not
,or
, etc. Values may contain operators within them e.g. NOT_A, that will be processed like any other value.
Missing Lock Strings
Documents with missing, empty or zero length boolean expression will be treated as a lock string that does not permit access by any user.
Multiple Lock Strings Per Document
You should ensure that each document has exactly one lock string. Documents which have multiple lock strings will cause undefined behavior.