key-based access control for tantivy backend

2025-09-25 13:36:23 +02:00
parent 22ac4c9ed6
commit e7248b84e8
2 changed files with 313 additions and 0 deletions
--- a/src/search_cmd.rs
+++ b/src/search_cmd.rs
@@ -32,6 +32,10 @@ pub async fn ft_create_cmd(
        return Ok(Protocol::err("ERR DB backend is not Tantivy; FT.* commands are not allowed"));
    }

+    if !server.has_write_permission() {
+        return Ok(Protocol::err("ERR write permission denied"));
+    }
+
    // Parse schema into field definitions
    let mut field_definitions = Vec::new();
    for (field_name, field_type, options) in schema {
@@ -158,6 +162,9 @@ pub async fn ft_add_cmd(
    if !is_tantivy {
        return Ok(Protocol::err("ERR DB backend is not Tantivy; FT.* commands are not allowed"));
    }
+    if !server.has_read_permission() {
+        return Ok(Protocol::err("ERR read permission denied"));
+    }
    let indexes = server.search_indexes.read().unwrap();
    let search_index = indexes
        .get(&index_name)
@@ -192,6 +199,9 @@ pub async fn ft_search_cmd(
    if !is_tantivy {
        return Ok(Protocol::err("ERR DB backend is not Tantivy; FT.* commands are not allowed"));
    }
+    if !server.has_write_permission() {
+        return Ok(Protocol::err("ERR write permission denied"));
+    }
    let indexes = server.search_indexes.read().unwrap();
    let search_index = indexes
        .get(&index_name)
@@ -264,6 +274,9 @@ pub async fn ft_del_cmd(
    if !is_tantivy {
        return Ok(Protocol::err("ERR DB backend is not Tantivy; FT.* commands are not allowed"));
    }
+    if !server.has_write_permission() {
+        return Ok(Protocol::err("ERR write permission denied"));
+    }
    let indexes = server.search_indexes.read().unwrap();
    let _search_index = indexes
        .get(&index_name)
@@ -291,6 +304,9 @@ pub async fn ft_info_cmd(server: &Server, index_name: String) -> Result<Protocol
    if !is_tantivy {
        return Ok(Protocol::err("ERR DB backend is not Tantivy; FT.* commands are not allowed"));
    }
+    if !server.has_read_permission() {
+        return Ok(Protocol::err("ERR read permission denied"));
+    }
    let indexes = server.search_indexes.read().unwrap();
    let search_index = indexes
        .get(&index_name)
@@ -335,6 +351,10 @@ pub async fn ft_drop_cmd(server: &Server, index_name: String) -> Result<Protocol
        return Ok(Protocol::err("ERR DB backend is not Tantivy; FT.* commands are not allowed"));
    }

+    if !server.has_write_permission() {
+        return Ok(Protocol::err("ERR write permission denied"));
+    }
+
    // Remove from registry
    {
        let mut indexes = server.search_indexes.write().unwrap();