phpfull-text-searchmeilisearch

Meilisearch: user protected search


I have a database table "movies" with three fields: id, title and user_id. Behind a login users can create new movies with a custom title. The user_id is set automatically to the current logged in user.

Now on another page (also behind the same login) the users can see all their own created movies as a list. They also can filter them with a text field where they can start typing and the list will be updated.

To make the search as fast as possible I indexed all movies with meilisearch. But currently every user can also see the movies from other users. Is it possible to make sure that each user only can see the the movies that he created?

I tried to solve it with the php package from meilisearch with a custom route, where I can check the user access and then return the results:

$results = $searchService->rawSearch(Channel::class, '', [
    'facetFilters' => ['user_id:XXX'],
]);

// Return results to frontend as json
return $results;

But I want to use meilisearch directly in the frontend and not via the backend because of the performance loss. So is it possible to do the same search in the frontend without that other users can search in movies from others by easily changing the user id in the search query? Is it possible to protect search results or should I use another search engine? If yes, can you recommend another open source search engine?


Solution

  • At the moment, MeiliSearch does not offer multi-tenant key management. This is a future improvement that would allow to automatically restrict the search to the accessible documents from the user's Authorization key who is doing the search.

    In the meantime, it is possible to have an array of user ids that can access this document. Inferring the right user id by building a filter on the front end will work. The limit of this is that someone can delete this filter himself and see other documents. It should be possible to avoid this flaw with a facade/proxy (like Kong for example) that checks for the presence of user_id as a filter or overrides it, but like you said this is not ideal.

    We hope to add this feature before the end of 2021!