ESearch returning too many results

ltseng · June 24, 2021, 9:12pm

Hello,

The NodeJS server of my organization integrates with Kaltura via the kaltura-client NPM package. We have been using this package to search for videos within Kaltura but recently one of our clients has reported that users are getting videos in their search results that they shouldn’t have access to. To keep it simple, I’ll focus on a single notable incident of this occurrence that one of our clients mentioned to us.

A Kaltura user (“UserA”) searches for a video called “Week One Part One” by its full title. The video with that exact title is correctly returned, but so is another video that seemingly doesn’t match the conditions specified by the search parameters.

In this instance, here is what my organization is trying to do in plain English:

Find a video where:
video.mediaType is either 1 OR 5
AND video.name partially contains “Week One Part One”
AND (
video.userId = “UserA”
OR video.entitledUsersEdit includes “UserA”
OR video.entitledUsersPublish includes “UserA”
OR video.entitledUsersView includes “UserA”
)

As mentioned above, we’re using the kaltura-client NPM package to construct these search queries. To avoid getting bogged down in the minutiae of various coding languages, I will instead just show you what this finalized search query looked like:

ESearchEntryParams {
    objectType: 'KalturaESearchEntryParams',
        searchOperator: ESearchEntryOperator {
        objectType: 'KalturaESearchEntryOperator',
            operator: 1,
                searchItems: [
                    ESearchEntryOperator {
                        objectType: 'KalturaESearchEntryOperator',
                        operator: 2,
                        searchItems: [
                            ESearchEntryItem {
                                objectType: 'KalturaESearchEntryItem',
                                searchTerm: 1,
                                itemType: 1,
                                fieldName: 'media_type'
                            },
                            ESearchEntryItem {
                                objectType: 'KalturaESearchEntryItem',
                                searchTerm: 5,
                                itemType: 1,
                                fieldName: 'media_type'
                            }
                        ]
                    },
                    ESearchEntryOperator {
                        objectType: 'KalturaESearchEntryOperator',
                        operator: 2,
                        searchItems: [
                            ESearchEntryItem {
                                objectType: 'KalturaESearchEntryItem',
                                searchTerm: 'UserA',
                                itemType: 1,
                                fieldName: 'kuser_id'
                            },
                            ESearchEntryItem {
                                objectType: 'KalturaESearchEntryItem',
                                searchTerm: 'UserA',
                                itemType: 4,
                                fieldName: 'entitled_kusers_edit'
                            },
                            ESearchEntryItem {
                                objectType: 'KalturaESearchEntryItem',
                                searchTerm: 'UserA',
                                itemType: 4,
                                fieldName: 'entitled_kusers_publish'
                            },
                            ESearchEntryItem {
                                objectType: 'KalturaESearchEntryItem',
                                searchTerm: 'UserA',
                                itemType: 4,
                                fieldName: 'entitled_kusers_view'
                            }
                        ]
                    },
                    ESearchEntryItem {
                        objectType: 'KalturaESearchEntryItem',
                        searchTerm: 'Week One Part One',
                        itemType: 2,
                        fieldName: 'name'
                    }
                ]
    },
    orderBy: '-createdAt’
}

Now compare those search parameters to the relevant fields of the unexpected video we’re receiving in that search request:

{
 entitledUsersEdit: "GroupNameA",
 entitledUsersPublish: "GroupNameA",
 entitledUsersView: "GroupNameA",
 name: "Week 1 - THE MARKETING FUNCTION",
 userId: "UserB",
 type: 1,
}

My question to the Kaltura community is this: why is this video being returned in this search query when “UserA” is not the userId associated with the video nor does he have edit, publish, or view access over the video? I can see that the video is being returned because both its title and the search term contain the word “Week” but the other conditions should still come into play here, right?

Thank you for any and all help.

hunter.peress · June 25, 2021, 6:11am

Hi!

The details are very important for this query.

I am tempted to try to recreate your query. And I will definitely have to.
But, my intuition tells me these kinds of issues usually tend to be a one character/operation in the wrong place. So, if you could provide a line for line repro of the code you are using to make the query, I think that would be the fastest way to zero in on what the issue may be.

Can you please paste your query in javascript so i can attempt to reproduce your issue?

I also will probably need a little more context on the data that you are querying as that will probably be relevant to the repro. But let’s see how far we can get with the code first and foremost.

Feel free to paste the code as a response and any other data you feel may be relevant, DM it to me on here, or email me hunter.peress kaltura com

Thank you!

-Hunter Peress
Kaltura Video API Evangelist

ltseng · June 30, 2021, 6:27pm

Hi Hunter,

I’m going to email you directly.

Best,
Lillian

ZoharBabin · July 1, 2021, 6:11am

@ltseng - you’re not supposed to search for entitled* (unless you’re building an entitlements moderation app). The entitlement rules are enforced by the backend when you make the search with the appropriate Kaltura Session used in your search request.
If the KS used belongs to userA, the backend will enforce the entitlements of userA, etc.
Similarly, if userA is a member of GroupNameA - than they will indeed get all the videos that GroupNameA is entitled to.

jackyjoy123 · September 2, 2021, 12:28pm

thanks for the awesome information.