Authorize elasticsearch results with cancan

Question

Do you have any suggestions how to perform authorization of elasticsearch results (using tire) with cancan?

My approach would be to let cancan load and authorize the models and pass in all authorized ids to the tire search or maybe the other way around.

What do you think?

Answer 1

A proper answer would need a bit more code to understand your situation correctly.

But, generally, as an example:

1. You'd store the user ID(s) for users who can access/manipulate a document directly in the document (eg. author_ids property)
2. You'd pass the user ID (based on the current_user.id value) to a term/terms filter.
3. Alternatively, you can use a boolean query, but filters would be faster and more effiecient.
4. Your results are filtered.

Note, that there are many more possible approaches with elasticsearch and Tire, for instance:

1. You use the “filtered aliases” feature in elasticsearch, to set up a “virtual” index for each user, automatically filtered on the elasticsearch layer.
2. You inject this index name to searches in Tire.