From 3fdb83c1c2a4a4d63bd2459ebf28269ab86876d2 Mon Sep 17 00:00:00 2001
From: Bartuccio Antoine <klmp200@klmp200.net>
Date: Thu, 6 Dec 2018 14:22:55 +0100
Subject: [PATCH] forum and core: add access rights on search query

---
 core/views/__init__.py | 20 +++++++++++++++++---
 forum/models.py        |  6 +++---
 forum/views.py         |  7 ++++---
 3 files changed, 24 insertions(+), 9 deletions(-)

diff --git a/core/views/__init__.py b/core/views/__init__.py
index 77841dcd..639145a3 100644
--- a/core/views/__init__.py
+++ b/core/views/__init__.py
@@ -2,6 +2,7 @@
 #
 # Copyright 2016,2017
 # - Skia <skia@libskia.so>
+# - Sli <antoine@bartuccio.fr>
 #
 # Ce fichier fait partie du site de l'Association des Étudiants de l'UTBM,
 # http://ae.utbm.fr.
@@ -42,6 +43,7 @@ from django.db.models import Count
 
 from core.models import Group
 from core.views.forms import LoginForm
+from haystack.query import SearchQuerySet
 
 
 def forbidden(request):
@@ -176,6 +178,7 @@ class CanViewMixin(View):
     """
 
     def dispatch(self, request, *arg, **kwargs):
+
         try:
             self.object = self.get_object()
             if can_view(self.object, request.user):
@@ -184,13 +187,24 @@ class CanViewMixin(View):
         except:
             pass
         # If we get here, it's a ListView
-        l_id = [o.id for o in self.get_queryset() if can_view(o, request.user)]
-        if not l_id and self.get_queryset().count() != 0:
+        queryset = self.get_queryset()
+
+        # Test if comes from a haystack query
+        if isinstance(queryset, SearchQuerySet):
+            l_id = [o.object.id for o in queryset if can_view(o.object, request.user)]
+        else:
+            l_id = [o.id for o in queryset if can_view(o, request.user)]
+        if not l_id and queryset.count() != 0:
             raise PermissionDenied
         self._get_queryset = self.get_queryset
 
         def get_qs(self2):
-            return self2._get_queryset().filter(id__in=l_id)
+            q = self2._get_queryset()
+            # Test if comes from a haystack query
+            if isinstance(q, SearchQuerySet):
+                resp = [r.object for r in q if r.object.id in l_id]
+                return resp
+            return q.filter(id__in=l_id)
 
         self.get_queryset = types.MethodType(get_qs, self)
         return super(CanViewMixin, self).dispatch(request, *arg, **kwargs)
diff --git a/forum/models.py b/forum/models.py
index 523b1169..c52f56db 100644
--- a/forum/models.py
+++ b/forum/models.py
@@ -331,9 +331,9 @@ class ForumMessage(models.Model):
         return user.can_edit(self.topic.forum)
 
     def can_be_viewed_by(self, user):
-        return (
-            not self._deleted
-        )  # No need to check the real rights since it's already done by the Topic view
+        return not self._deleted and self.topic.can_be_viewed_by(
+            user
+        )  # Useful in search engine
 
     def can_be_moderated_by(self, user):
         return self.topic.forum.is_owned_by(user) or user.id == self.author.id
diff --git a/forum/views.py b/forum/views.py
index 59d5a163..435eba3f 100644
--- a/forum/views.py
+++ b/forum/views.py
@@ -2,6 +2,7 @@
 #
 # Copyright 2016,2017,2018
 # - Skia <skia@libskia.so>
+# - Sli <antoine@bartuccio.fr>
 #
 # Ce fichier fait partie du site de l'Association des Étudiants de l'UTBM,
 # http://ae.utbm.fr.
@@ -42,13 +43,13 @@ from forum.models import Forum, ForumMessage, ForumTopic, ForumMessageMeta
 from haystack.query import SearchQuerySet
 
 
-class ForumSearchView(ListView):
+class ForumSearchView(CanViewMixin, ListView):
     template_name = "forum/search.jinja"
 
     def get_queryset(self):
         query = self.request.GET.get("query", "")
-        q = SearchQuerySet().models(ForumMessage).autocomplete(auto=query)
-        return [r.object for r in q]
+        return SearchQuerySet().models(ForumMessage).autocomplete(auto=query)
+        # return [r.object for r in q]
 
 
 class ForumMainView(ListView):
-- 
GitLab