0

I'm using combo of Python and Django, and JS libraries bloodhound and typeahead to form an incremental search box on a website. In the js so far I've included the URL of the remote Solr server so that the js can fire queries at it to populate the search box as the user types. The thing that occurs to me is I might prefer not to make this Solr URL visible to the user should they view the source and the JS script. Is it possible to do this? Perhaps there is a better way of achieving this altogether... I've copied the relevant bit of code below and you can see the URL of the Solr server is visible in the script:

// construct suggestion engine
var engine = new Bloodhound({
    datumTokenizer: function (datum) {
        return Bloodhound.tokenizers.whitespace(datum.title);
    },
    queryTokenizer: Bloodhound.tokenizers.whitespace,
    remote: {
        url: 'http://localhost:8983/solr/document_core/select?wt=json&q=%QUERY',
        wildcard: '%QUERY',
        filter: function (data) {
            return $.map(data.response.docs, function (suggestionSet) {
                return{
                    title : suggestionSet.title,
                    category : suggestionSet.category
                }
            });
        }
    }

});

Many thanks for any help!

jabbathecode
  • 1

1 Answers1

1

You cannot hide anything in clientside. Access Solr from serverside, after checking whether the user is authorised to make the query; then relay the results to clientside if you need them there.

Amadan
  • 191,408
  • 23
  • 240
  • 301
  • OK thanks a lot. It sort of suggests then that using these js libraries are probably not suitable given this is the way to do this using bloodhound and typeahead. I'd be better off writing my own server side code. – jabbathecode Sep 18 '15 at 12:54
  • The JS libraries are fine. You can just modify your parameters (the `filter` function in particular) to fit the response you are sending. In fact, the response doesn't even have to change at all, you can pass through all the data from Solr unchanged. The point of the custom serverside is to verify that you are only running the approved queries. It's like putting a cashier between a bank safe and a customer; you're not giving the customer a different kind of money, you're just checking if he's allowed to have it. – Amadan Sep 18 '15 at 15:12