Thursday, February 14, 2008

How to use WSS 3.0 to search more than one site collection in one go

I have been working on some courseware for Microsoft, and in the process have come across something interesting.

Search queries the content database of a web application for data, right? And search is supposed to confine it's search to the site collection the user typed the query into, right?

But search does search the site collection path from the point where the query was made (be it at the top-level site, or at a subsite) downwards through the path.

So what if you were searching from the top-level site of the root site collection in a web application? Theoretically, all site collections from there are on its path and therefore available to be used for search results.

So, theoretically, searching from the top-level site of http://sp2/, you could search http://sp2/sales, http://sp2/marketing/document1workspace, http://sp2/sites/saffronsblog, etc.. Even though saffron's blog is a different site collection altogether it's still on the path.

What makes that possible (or generally impossible- garnering the standard that searches are site collection-centric)? Most site collections have different user accounts in them. They are usually user boundaries, created to give different people access to different data. But if you have an account on the root site collection of a web application that is also a member of the other site collections on the path, then that person can, in fact, do a search at the top-level site of the root site collection, and get results that are located in the other site collections.

Search is generally limited by site collection due to security filtering. The other site collections on the path are omitted because the user doing the query doesn't have the right to see those results-- not because search doesn't go out to those additional site collections.

What stops search from accessing additional site collections is the caveat that the account must also be a member of the other site collection(s) in order for this to work. But if you have someone, say an IT staff member, who is a member of other site collections in that web application, then they can do this cross site collection search trick.

Try it. Break the site collection search boundary. So far, over and over, it has worked for me.

And if this is a security issue, giving the wrong people the right to search where you don't want them to-- well, you shouldn't have made them members of the other site collections...

2 comments:

Christian Henry said...

I just gotta say "A BIG thank you" to you ServerGrrl! Your detailed and correct posts have helped me out on two very important occasions now.

You ROCK!

Unknown said...

Thanks for this post. I've just tested this and let say if you have:

http://sp2/
http://sp2/IT
http://sp2/Finance

What I found is that after I've implemented the security on all sites, the search is only working on http://sp2 to search any document on the Sp2/IT or sp2/Finance BUT if you are in the SP2/IT then you can't search whateer in the SP2/Finance. Is this right or?