RavenQueryStatistics ignore Authorization Bundle's security

Shifatullah Rizwan

unread,

Apr 14, 2013, 8:24:54 AM4/14/13

to rav...@googlegroups.com

Hi,

We are using Raven.Bundles.Authorization bundle and use _documentSession.SecureFor() to retrieve only those documents which are authorized to the given user for the given operation.

In our scenario, we have only two documents authorized to user and query returns only two records, however TotalResults property of RavenQueryStatistics returned by query, returns count of all the documents existing in the database regardless of SecureFor settings.

Is it possible somehow that Statistics shows count of only authorised documents?

Regards,

Shifatullah Rizwan

Oren Eini (Ayende Rahien)

unread,

Apr 15, 2013, 1:29:18 AM4/15/13

to ravendb

No, that would force us to scan the entire result set, and that may have thousands or more of items.

--
You received this message because you are subscribed to the Google Groups "ravendb" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ravendb+u...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Mauro Servienti

unread,

Apr 15, 2013, 2:02:24 AM4/15/13

to rav...@googlegroups.com

so the only way to do pagination when the auth bundle is in place is to do 2 queries?

one for the data and one for the total count?

.m

From: rav...@googlegroups.com [rav...@googlegroups.com] on behalf of Oren Eini (Ayende Rahien) [aye...@ayende.com]
Sent: Monday, April 15, 2013 7:29
To: ravendb
Subject: Re: [RavenDB] RavenQueryStatistics ignore Authorization Bundle's security

Oren Eini (Ayende Rahien)

unread,

Apr 15, 2013, 2:06:45 AM4/15/13

to ravendb

No, the total count would still be wrong. total count is always calculated the same way, through the stats.

Payam Yazdkhasti

unread,

Nov 15, 2013, 10:43:47 AM11/15/13

to rav...@googlegroups.com

So what we can do to this problem?

Chris Marisic

unread,

Nov 15, 2013, 11:33:18 AM11/15/13

to rav...@googlegroups.com

Issue the same query that uses secure for and do Count() instead of ToList(), if that doesn't return you the right result then that's definitely a bug.

You could also use lazy/batch to issue the 2 queries simultaneously instead of having 2 separate http requests.

Oren Eini (Ayende Rahien)

unread,

Nov 15, 2013, 12:37:04 PM11/15/13

to ravendb

It will always issue the same count Chris.

Here is why.

You have a 10,000 items in the db.

You have auth to see only 25% of them.

When you do a query for a particular page, we scan that page, and only give you back stuff that you can see.

But when you do a count query, we _don't_ do that. To do otherwise would force us to check _each an every one of those items_.

Oren Eini

CEO

Hibernating Rhinos

Cellular: +972-52-548-6969

Office: +972-4-674-7811

Fax: +972-153-4622-7811

--
You received this message because you are subscribed to the Google Groups "RavenDB - 2nd generation document database" group.

Mircea Chirea

unread,

Nov 15, 2013, 2:29:16 PM11/15/13

to rav...@googlegroups.com

You HAVE TO do that. Otherwise paging is completely impossible, making the feature practically useless.

Mauro Servienti

unread,

Nov 15, 2013, 2:34:25 PM11/15/13

to rav...@googlegroups.com

+1

Sent from my Windows Phone, typos are guaranteed ;-)

From: Mircea Chirea
Sent: ‎15/‎11/‎2013 20.29
To: rav...@googlegroups.com

Subject: Re: [RavenDB] RavenQueryStatistics ignore Authorization Bundle's security

Oren Eini (Ayende Rahien)

unread,

Nov 15, 2013, 2:45:42 PM11/15/13

to ravendb

Or, at the same time, this feature means that you now have to make 100,000 reads from the disk, making it entirely non functional as far as perfromance goes.

Oren Eini

CEO

Hibernating Rhinos

Cellular: +972-52-548-6969

Office: +972-4-674-7811

Fax: +972-153-4622-7811

Mauro Servienti

unread,

Nov 16, 2013, 2:11:37 AM11/16/13

to rav...@googlegroups.com

So, how can we achieve paging when the auth bundle is in place? Or should we get rid of the auth bundle itself?

Sent from my Windows Phone, typos are guaranteed ;-)

From: Oren Eini (Ayende Rahien)
Sent: ‎15/‎11/‎2013 20.46

To: ravendb
Subject: Re: [RavenDB] RavenQueryStatistics ignore Authorization Bundle's security

Oren Eini (Ayende Rahien)

unread,

Nov 16, 2013, 6:23:54 AM11/16/13

to ravendb

You can do paging, you just can't reliably say how many items you have.

Oren Eini

CEO

Hibernating Rhinos

Cellular: +972-52-548-6969

Office: +972-4-674-7811

Fax: +972-153-4622-7811

On Sat, Nov 16, 2013 at 9:11 AM, Mauro Servienti <ma...@topics.it> wrote:

So, how can we achieve paging when the auth bundle is in place? Or should we get rid of the auth bundle itself?

Sent from my Windows Phone, typos are guaranteed ;-)

From: Oren Eini (Ayende Rahien)

Sent: 15/11/2013 20.46

Mauro Servienti

unread,

Nov 16, 2013, 6:41:30 AM11/16/13

to rav...@googlegroups.com

So, just to recap, if we have the Auth Bundle in place:

- “Total Results” cannot be trusted;

- The consequence is that we cannot know upfront how many pages we have;

The question now is: if we do a “Skip( x ).Take ( y )” are we sure that we get back “y” docs? if there are at least y, obviously, or the Auth Bundle runs after paging is applied server side thus we cannot even trust the page size?

To me the total count missing/unreliable is not a big deal, I’m not exposing paging to the end user because we have everywhere “infinite scrolling”, but I need to be sure that if a request a x docs I get back x docs not “x – the one I cannot see” otherwise even infinite scrolling can become a mess.

.m