Global search on elasticsearch for private repositories

[maldag]

I'm running a local instance of RTD (3.7.2) combined with elasticsearch.
Searching the whole RTD instance from the landing page also returns search entries belonging to private repositories. This seems to be a security flaw since the index probably doesn't care about access rights on the webpage.

The major goal I'm trying to achieve is hosting development and user documentation on the same server using private repositories for developers (which would access and search both) as well as user documentation for people without credentials.

Is there a way to propagate repository rights to elasticsearch?

[stsewd]

Did you set the privacy level of those projects to private (project and versions)?

If so, I think we missed filtering search results using the privacy level here. But on the commercial site we override our classes to respect privacy levels.

[maldag]

Yes, I did setup two projects with one version (latest) each. Project A is a public project with public version and project B is a private project with a private version.

Elasticsearch will index both (Autoindex set to true) and will return results from the private project when not logged in as an appropriate user.

Would you be willing to share that template with me or is there any help for this?
Right now I'm using an http-auth mechanism in nginx to prevent the global search for the public when deploying, but that's not really slick since it prevents public projects to provide the downloads and the api is still publicly available.

It would make sense to me if elasticsearch will generate n-indices based on permissions (or one index per project) and offer only the ones that fit the user permissions.

[stsewd]

Just in case, this is the class the needs to be overriden

readthedocs.org/readthedocs/search/faceted_search.py

Lines 208 to 216 in b6a532b

	class PageSearch(SettingsOverrideObject):
	"""
	Allow this class to be overridden based on CLASS_OVERRIDES setting.
	This is primary used on the .com to adjust how we filter our search queries
	"""
	_default_class = PageSearchBase

Also, we are in the process of moving some private code to the public repo.

[stsewd]

Just a note here, we are in process to remove the privacy level from all projects #6194

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.