Commit 076b10e3 authored by Sli's avatar Sli Committed by Skia

forum and core: add a dedicated mixin to exclude unauthorized search results

parent 3fdb83c1
......@@ -189,27 +189,41 @@ class CanViewMixin(View):
# If we get here, it's a ListView
queryset = self.get_queryset()
# Test if comes from a haystack query
if isinstance(queryset, SearchQuerySet):
l_id = [ for o in queryset if can_view(o.object, request.user)]
l_id = [ for o in queryset if can_view(o, request.user)]
if not l_id and queryset.count() != 0:
raise PermissionDenied
self._get_queryset = self.get_queryset
def get_qs(self2):
q = self2._get_queryset()
# Test if comes from a haystack query
if isinstance(q, SearchQuerySet):
resp = [r.object for r in q if in l_id]
return resp
return q.filter(id__in=l_id)
return self._get_queryset().filter(id__in=l_id)
self.get_queryset = types.MethodType(get_qs, self)
return super(CanViewMixin, self).dispatch(request, *arg, **kwargs)
class CanViewSearchMixin(View):
This view removes all forbidden content from a SearchQuerySet
def dispatch(self, request, *arg, **kwargs):
queryset = self.get_queryset()
excluded = [ for o in queryset if not can_view(o.object, request.user)
self._queryset = queryset
def get_qs(self2):
q = self2._queryset.exclude(id__in=excluded)
resp = [r.object for r in q]
return resp
self.get_queryset = types.MethodType(get_qs, self)
return super(CanViewSearchMixin, self).dispatch(request, *arg, **kwargs)
class FormerSubscriberMixin(View):
This view check if the user was at least an old subscriber
......@@ -37,19 +37,24 @@ from django.core.paginator import Paginator, EmptyPage, PageNotAnInteger
from ajax_select import make_ajax_field
from core.views import CanViewMixin, CanEditMixin, CanEditPropMixin, CanCreateMixin
from core.views import (
from core.views.forms import MarkdownInput
from forum.models import Forum, ForumMessage, ForumTopic, ForumMessageMeta
from haystack.query import SearchQuerySet
class ForumSearchView(CanViewMixin, ListView):
class ForumSearchView(CanViewSearchMixin, ListView):
template_name = "forum/search.jinja"
def get_queryset(self):
query = self.request.GET.get("query", "")
return SearchQuerySet().models(ForumMessage).autocomplete(auto=query)
# return [r.object for r in q]
class ForumMainView(ListView):
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment