forum and core: add a dedicated mixin to exclude unauthorized search results

076b10e3 · Sli · Skia · 3fdb83c1 · 076b10e3 · 076b10e3
Commit 076b10e3 authored Dec 07, 2018 by Sli Committed by Skia Dec 13, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 33 additions and 14 deletions

core/views/__init__.py core/views/__init__.py +25 -11

forum/views.py forum/views.py +8 -3

No files found.
--- a/core/views/__init__.py
+++ b/core/views/__init__.py
@@ -189,27 +189,41 @@ class CanViewMixin(View):
        # If we get here, it's a ListView
        queryset = self.get_queryset()

-        # Test if comes from a haystack query
-        if isinstance(queryset, SearchQuerySet):
-            l_id = [o.object.id for o in queryset if can_view(o.object, request.user)]
-        else:
-            l_id = [o.id for o in queryset if can_view(o, request.user)]
+        l_id = [o.id for o in queryset if can_view(o, request.user)]
        if not l_id and queryset.count() != 0:
            raise PermissionDenied
        self._get_queryset = self.get_queryset

        def get_qs(self2):
-            q = self2._get_queryset()
-            # Test if comes from a haystack query
-            if isinstance(q, SearchQuerySet):
-                resp = [r.object for r in q if r.object.id in l_id]
-                return resp
-            return q.filter(id__in=l_id)
+            return self._get_queryset().filter(id__in=l_id)

        self.get_queryset = types.MethodType(get_qs, self)
        return super(CanViewMixin, self).dispatch(request, *arg, **kwargs)


+class CanViewSearchMixin(View):
+    """
+    This view removes all forbidden content from a SearchQuerySet
+    """
+
+    def dispatch(self, request, *arg, **kwargs):
+
+        queryset = self.get_queryset()
+        excluded = [
+            o.object.id for o in queryset if not can_view(o.object, request.user)
+        ]
+
+        self._queryset = queryset
+
+        def get_qs(self2):
+            q = self2._queryset.exclude(id__in=excluded)
+            resp = [r.object for r in q]
+            return resp
+
+        self.get_queryset = types.MethodType(get_qs, self)
+        return super(CanViewSearchMixin, self).dispatch(request, *arg, **kwargs)
+
+
 class FormerSubscriberMixin(View):
    """
    This view check if the user was at least an old subscriber

--- a/forum/views.py
+++ b/forum/views.py
@@ -37,19 +37,24 @@ from django.core.paginator import Paginator, EmptyPage, PageNotAnInteger

 from ajax_select import make_ajax_field

-from core.views import CanViewMixin, CanEditMixin, CanEditPropMixin, CanCreateMixin
+from core.views import (
+    CanViewMixin,
+    CanEditMixin,
+    CanEditPropMixin,
+    CanCreateMixin,
+    CanViewSearchMixin,
+)
 from core.views.forms import MarkdownInput
 from forum.models import Forum, ForumMessage, ForumTopic, ForumMessageMeta
 from haystack.query import SearchQuerySet


-class ForumSearchView(CanViewMixin, ListView):
+class ForumSearchView(CanViewSearchMixin, ListView):
    template_name = "forum/search.jinja"

    def get_queryset(self):
        query = self.request.GET.get("query", "")
        return SearchQuerySet().models(ForumMessage).autocomplete(auto=query)
-        # return [r.object for r in q]


 class ForumMainView(ListView):