Amount of results in a search does not take into account access rights
When doing a search the amount of results reported is before the filtering according to rights has been applied.
The extreme case is when you get an results indicator of many hundred but you get no results back.
Since the results are paginated the check is only performed on those that are returned. The effect might be that 200 entries are checked to get a list of 100 entries to send back (when there is a limit of 100).
If the amount of entries being returned are smaller than the limit, indicate that number in the results (take into account the offset).
Otherwise indicate the total amount of result as reported by Solr (i.e. as it is today).
Leave it as it is today and if the amount of entries returned are fewer than the limit the client can report a more accurate amount of results.
Go through all the matching results and report an actual number of available search results. This approach is probably too computationally expensive.
In any case, it should be documented how it works in:
An accurate result count for matching entries cannot be implemented with the current ACL-handling in Solr.
The exact behavior and some background information are now documented at https://code.google.com/p/entrystore/wiki/KnowledgeBaseSearch
The decision to hide inaccessible results also affects directory listings, not only search. Currently entries to which the user does not have access are shown as "Insufficient rights" in the list. They should not be shown at all instead.