String collectionName = "docLevelCollection";
setupCollectionWithDocSecurity(collectionName);
try {
createDocsAndQuerySimple(collectionName, true);
CloudSolrServer server = getCloudSolrServer(collectionName);
try {
// test filter queries work as AND -- i.e. user can't avoid doc-level
// checks by prefixing their own filterQuery
setAuthenticationUser("junit");
String fq = URLEncoder.encode(" {!raw f=" + AUTH_FIELD + " v=docLevel_role}");
String path = "/" + collectionName + "/select?q=*:*&fq="+fq;
String retValue = makeHttpRequest(server, "GET", path, null, null);
assertTrue(retValue.contains("numFound=\"" + NUM_DOCS / 2 + "\" "));
// test that user can't inject an "OR" into the query
final String syntaxErrorMsg = "org.apache.solr.search.SyntaxError: Cannot parse";
fq = URLEncoder.encode(" {!raw f=" + AUTH_FIELD + " v=docLevel_role} OR ");
path = "/" + collectionName + "/select?q=*:*&fq="+fq;
retValue = makeHttpRequest(server, "GET", path, null, null);
assertTrue(retValue.contains(syntaxErrorMsg));
// same test, prefix OR this time
fq = URLEncoder.encode(" OR {!raw f=" + AUTH_FIELD + " v=docLevel_role}");
path = "/" + collectionName + "/select?q=*:*&fq="+fq;
retValue = makeHttpRequest(server, "GET", path, null, null);
assertTrue(retValue.contains(syntaxErrorMsg));
} finally {
server.shutdown();
}
} finally {
deleteCollection(collectionName);
}
}