From 2d5fdfeb65e7c67d02b46052808092efce4f7b31 Mon Sep 17 00:00:00 2001
From: Michael Peter Christen <mc@yacy.net>
Date: Mon, 20 Aug 2012 17:10:48 +0200
Subject: [PATCH] added authorization-based maximum results limitation to solr
 and gsa search

---
 htroot/gsa/searchresult.java | 6 +++++-
 htroot/solr/select.java      | 7 +++++--
 2 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/htroot/gsa/searchresult.java b/htroot/gsa/searchresult.java
index 90b5a432d..a445bd7ba 100644
--- a/htroot/gsa/searchresult.java
+++ b/htroot/gsa/searchresult.java
@@ -81,11 +81,13 @@ public class searchresult {
         sb.peers.peerActions.setUserAgent(clientip, userAgent);
 
         // check if user is allowed to search (can be switched in /ConfigPortal.html)
-        final boolean searchAllowed = sb.getConfigBool("publicSearchpage", true) || sb.verifyAuthentication(header);
+        boolean authenticated = sb.adminAuthenticated(header) >= 2;
+        final boolean searchAllowed = authenticated || sb.getConfigBool("publicSearchpage", true);
         if (!searchAllowed) return null;
 
         // check post
         if (post == null) return null;
+        sb.intermissionAllThreads(3000); // tell all threads to do nothing for a specific time
 
         // rename post fields according to result style
         //post.put(CommonParams.Q, post.remove("q")); // same as solr
@@ -94,6 +96,8 @@ public class searchresult {
         //post.put(, post.remove("client"));//required, example: myfrontend
         //post.put(, post.remove("output"));//required, example: xml,xml_no_dtd
         post.put(CommonParams.ROWS, post.remove("num"));
+        post.put(CommonParams.ROWS, Math.min(post.getInt("num", 10), (authenticated) ? 5000 : 100));
+        post.remove("num");
 
         // get the embedded connector
         EmbeddedSolrConnector connector = (EmbeddedSolrConnector) sb.index.fulltext().getLocalSolr();
diff --git a/htroot/solr/select.java b/htroot/solr/select.java
index 0a95aec32..6191e0dff 100644
--- a/htroot/solr/select.java
+++ b/htroot/solr/select.java
@@ -121,16 +121,19 @@ public class select {
         sb.peers.peerActions.setUserAgent(clientip, userAgent);
 
         // check if user is allowed to search (can be switched in /ConfigPortal.html)
-        final boolean searchAllowed = sb.getConfigBool("publicSearchpage", true) || sb.verifyAuthentication(header);
+        boolean authenticated = sb.adminAuthenticated(header) >= 2;
+        final boolean searchAllowed = authenticated || sb.getConfigBool("publicSearchpage", true);
         if (!searchAllowed) return null;
 
         // check post
         if (post == null) return null;
+        sb.intermissionAllThreads(3000); // tell all threads to do nothing for a specific time
 
         // rename post fields according to result style
         if (!post.containsKey(CommonParams.Q)) post.put(CommonParams.Q, post.remove("query")); // sru patch
         if (!post.containsKey(CommonParams.START)) post.put(CommonParams.START, post.remove("startRecord")); // sru patch
-        if (!post.containsKey(CommonParams.ROWS)) post.put(CommonParams.ROWS, post.remove("maximumRecords")); // sru patch
+        post.put(CommonParams.ROWS, Math.min(post.getInt(CommonParams.ROWS, post.getInt("maximumRecords", 10)), (authenticated) ? 5000 : 100));
+        post.remove("maximumRecords");
 
         // get a response writer for the result
         String wt = post.get(CommonParams.WT, "xml"); // maybe use /solr/select?q=*:*&start=0&rows=10&wt=exml