Skip to content
GitLab
Projects
Groups
Snippets
Help
Loading...
Help
What's new
7
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
Open sidebar
AE
Sith
Commits
3fdb83c1
Commit
3fdb83c1
authored
Dec 06, 2018
by
Sli
Committed by
Skia
Dec 13, 2018
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
forum and core: add access rights on search query
parent
525b047b
Changes
3
Show whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
24 additions
and
9 deletions
+24
-9
core/views/__init__.py
core/views/__init__.py
+17
-3
forum/models.py
forum/models.py
+3
-3
forum/views.py
forum/views.py
+4
-3
No files found.
core/views/__init__.py
View file @
3fdb83c1
...
...
@@ -2,6 +2,7 @@
#
# Copyright 2016,2017
# - Skia <skia@libskia.so>
# - Sli <antoine@bartuccio.fr>
#
# Ce fichier fait partie du site de l'Association des Étudiants de l'UTBM,
# http://ae.utbm.fr.
...
...
@@ -42,6 +43,7 @@ from django.db.models import Count
from
core.models
import
Group
from
core.views.forms
import
LoginForm
from
haystack.query
import
SearchQuerySet
def
forbidden
(
request
):
...
...
@@ -176,6 +178,7 @@ class CanViewMixin(View):
"""
def
dispatch
(
self
,
request
,
*
arg
,
**
kwargs
):
try
:
self
.
object
=
self
.
get_object
()
if
can_view
(
self
.
object
,
request
.
user
):
...
...
@@ -184,13 +187,24 @@ class CanViewMixin(View):
except
:
pass
# If we get here, it's a ListView
l_id
=
[
o
.
id
for
o
in
self
.
get_queryset
()
if
can_view
(
o
,
request
.
user
)]
if
not
l_id
and
self
.
get_queryset
().
count
()
!=
0
:
queryset
=
self
.
get_queryset
()
# Test if comes from a haystack query
if
isinstance
(
queryset
,
SearchQuerySet
):
l_id
=
[
o
.
object
.
id
for
o
in
queryset
if
can_view
(
o
.
object
,
request
.
user
)]
else
:
l_id
=
[
o
.
id
for
o
in
queryset
if
can_view
(
o
,
request
.
user
)]
if
not
l_id
and
queryset
.
count
()
!=
0
:
raise
PermissionDenied
self
.
_get_queryset
=
self
.
get_queryset
def
get_qs
(
self2
):
return
self2
.
_get_queryset
().
filter
(
id__in
=
l_id
)
q
=
self2
.
_get_queryset
()
# Test if comes from a haystack query
if
isinstance
(
q
,
SearchQuerySet
):
resp
=
[
r
.
object
for
r
in
q
if
r
.
object
.
id
in
l_id
]
return
resp
return
q
.
filter
(
id__in
=
l_id
)
self
.
get_queryset
=
types
.
MethodType
(
get_qs
,
self
)
return
super
(
CanViewMixin
,
self
).
dispatch
(
request
,
*
arg
,
**
kwargs
)
...
...
forum/models.py
View file @
3fdb83c1
...
...
@@ -331,9 +331,9 @@ class ForumMessage(models.Model):
return
user
.
can_edit
(
self
.
topic
.
forum
)
def
can_be_viewed_by
(
self
,
user
):
return
(
not
self
.
_deleted
)
#
No need to check the real rights since it's already done by the Topic view
return
not
self
.
_deleted
and
self
.
topic
.
can_be_viewed_by
(
user
)
#
Useful in search engine
def
can_be_moderated_by
(
self
,
user
):
return
self
.
topic
.
forum
.
is_owned_by
(
user
)
or
user
.
id
==
self
.
author
.
id
...
...
forum/views.py
View file @
3fdb83c1
...
...
@@ -2,6 +2,7 @@
#
# Copyright 2016,2017,2018
# - Skia <skia@libskia.so>
# - Sli <antoine@bartuccio.fr>
#
# Ce fichier fait partie du site de l'Association des Étudiants de l'UTBM,
# http://ae.utbm.fr.
...
...
@@ -42,13 +43,13 @@ from forum.models import Forum, ForumMessage, ForumTopic, ForumMessageMeta
from
haystack.query
import
SearchQuerySet
class
ForumSearchView
(
ListView
):
class
ForumSearchView
(
CanViewMixin
,
ListView
):
template_name
=
"forum/search.jinja"
def
get_queryset
(
self
):
query
=
self
.
request
.
GET
.
get
(
"query"
,
""
)
q
=
SearchQuerySet
().
models
(
ForumMessage
).
autocomplete
(
auto
=
query
)
return
[
r
.
object
for
r
in
q
]
return
SearchQuerySet
().
models
(
ForumMessage
).
autocomplete
(
auto
=
query
)
#
return [r.object for r in q]
class
ForumMainView
(
ListView
):
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment
