Commit 076b10e3 authored by Sli's avatar Sli Committed by Skia

forum and core: add a dedicated mixin to exclude unauthorized search results

parent 3fdb83c1
...@@ -189,27 +189,41 @@ class CanViewMixin(View): ...@@ -189,27 +189,41 @@ class CanViewMixin(View):
# If we get here, it's a ListView # If we get here, it's a ListView
queryset = self.get_queryset() queryset = self.get_queryset()
# Test if comes from a haystack query l_id = [o.id for o in queryset if can_view(o, request.user)]
if isinstance(queryset, SearchQuerySet):
l_id = [o.object.id for o in queryset if can_view(o.object, request.user)]
else:
l_id = [o.id for o in queryset if can_view(o, request.user)]
if not l_id and queryset.count() != 0: if not l_id and queryset.count() != 0:
raise PermissionDenied raise PermissionDenied
self._get_queryset = self.get_queryset self._get_queryset = self.get_queryset
def get_qs(self2): def get_qs(self2):
q = self2._get_queryset() return self._get_queryset().filter(id__in=l_id)
# Test if comes from a haystack query
if isinstance(q, SearchQuerySet):
resp = [r.object for r in q if r.object.id in l_id]
return resp
return q.filter(id__in=l_id)
self.get_queryset = types.MethodType(get_qs, self) self.get_queryset = types.MethodType(get_qs, self)
return super(CanViewMixin, self).dispatch(request, *arg, **kwargs) return super(CanViewMixin, self).dispatch(request, *arg, **kwargs)
class CanViewSearchMixin(View):
"""
This view removes all forbidden content from a SearchQuerySet
"""
def dispatch(self, request, *arg, **kwargs):
queryset = self.get_queryset()
excluded = [
o.object.id for o in queryset if not can_view(o.object, request.user)
]
self._queryset = queryset
def get_qs(self2):
q = self2._queryset.exclude(id__in=excluded)
resp = [r.object for r in q]
return resp
self.get_queryset = types.MethodType(get_qs, self)
return super(CanViewSearchMixin, self).dispatch(request, *arg, **kwargs)
class FormerSubscriberMixin(View): class FormerSubscriberMixin(View):
""" """
This view check if the user was at least an old subscriber This view check if the user was at least an old subscriber
......
...@@ -37,19 +37,24 @@ from django.core.paginator import Paginator, EmptyPage, PageNotAnInteger ...@@ -37,19 +37,24 @@ from django.core.paginator import Paginator, EmptyPage, PageNotAnInteger
from ajax_select import make_ajax_field from ajax_select import make_ajax_field
from core.views import CanViewMixin, CanEditMixin, CanEditPropMixin, CanCreateMixin from core.views import (
CanViewMixin,
CanEditMixin,
CanEditPropMixin,
CanCreateMixin,
CanViewSearchMixin,
)
from core.views.forms import MarkdownInput from core.views.forms import MarkdownInput
from forum.models import Forum, ForumMessage, ForumTopic, ForumMessageMeta from forum.models import Forum, ForumMessage, ForumTopic, ForumMessageMeta
from haystack.query import SearchQuerySet from haystack.query import SearchQuerySet
class ForumSearchView(CanViewMixin, ListView): class ForumSearchView(CanViewSearchMixin, ListView):
template_name = "forum/search.jinja" template_name = "forum/search.jinja"
def get_queryset(self): def get_queryset(self):
query = self.request.GET.get("query", "") query = self.request.GET.get("query", "")
return SearchQuerySet().models(ForumMessage).autocomplete(auto=query) return SearchQuerySet().models(ForumMessage).autocomplete(auto=query)
# return [r.object for r in q]
class ForumMainView(ListView): class ForumMainView(ListView):
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment