5 Replies Latest reply on Feb 7, 2008 11:51 PM by ajohnson1200

    Search bug

       

      I just noticed that when I am not logged in, if I search for something the search page returns no content and no visible hits (as it should), but it does return the number of search hits. i.e. "Your search for "linux" returned 11 results". 

       

       

      (I have jive.auth.disallowGuest set to False)

       

       

       

       

       

      -Mike

       

       

        • Re: Search bug

          hi Mike,

           

          That's a leaky abstraction: behind the scenes, when we do the search we iterate over the first n results until we find at least x results that the current user (which in your case is anonymous) has the ability to see.  Instead of iterating over every result, we simply return the total count that were found. I can see why this might be a problem for you but there are big performance implications to changing this behavior. If this is a critical function for you, I'd suggest removing the search results count from the results page using a theme. The file you'd want to change is /template/global/search.ftl, right around line 192.

           

          Cheers,

           

          AJ

            • Re: Search bug

               

              Thanks for the response, Aaron.  That is what I figured was happening on the back end, and I see why.  However, this still remains a relatively small but significant issue if for no other reason than security.  Primarily, it's not the issue that the number of search results are shown, it's the issue that an anonymous user can execute the search period.  Given the right search string, an anonymous user can practically DOS a CS instance by just reloading a big search over and over (I ran my dual-quad-core box up to 55% cpu by just clicking 'refresh' really fast).  Of course one can create or mod a theme to not show the search box, but why is the function available to unauthenticated users at all?

               

               

               

               

               

              -Mike

               

               

                • Re: Search bug

                  but why is the function available to unauthenticated users at all?

                  Well I think for external communities it makes a ton of sense to be able to search without having to login. With that said, you said you disabled the disallow guest property, why not just turn it back on if you're concerned about a DOS attack?

                   

                  Cheers,

                   

                  AJ

                    • Re: Search bug

                       

                      We are shooting for a small "public" front page, possibly with an occasional alert box or maybe just some static content, that is all we want visible without logging in.  If we disallow guests, the only thing an unauthenticated user can see is a login box with an apparent error, which just looks bad (though it's normal).    It would be nice to selectively expose parts of the system, i.e. have some front page content without showing search, "Top Contributors", "Popular Tags", etc.  Could this be done with a skin?

                       

                       

                       

                       

                       

                      -Mike

                       

                       

                        • Re: Search bug

                          hi Mike,

                           

                          You could absolutely do what you're talking about by modifying the skin. You'll want to modify /template/global/user-bar.ftl, you'll see the search form on / around line 200.  You could just wrap the entire div in an if block like this:

                          <#if !guest>
                          <div id="jive-userbar-search">
                          ...
                          </div>
                          </#if>

                          Cheers,

                           

                          AJ