Commit 3fdb83c1 authored by Sli's avatar Sli Committed by Skia

forum and core: add access rights on search query

parent 525b047b
...@@ -2,6 +2,7 @@ ...@@ -2,6 +2,7 @@
# #
# Copyright 2016,2017 # Copyright 2016,2017
# - Skia <skia@libskia.so> # - Skia <skia@libskia.so>
# - Sli <antoine@bartuccio.fr>
# #
# Ce fichier fait partie du site de l'Association des Étudiants de l'UTBM, # Ce fichier fait partie du site de l'Association des Étudiants de l'UTBM,
# http://ae.utbm.fr. # http://ae.utbm.fr.
...@@ -42,6 +43,7 @@ from django.db.models import Count ...@@ -42,6 +43,7 @@ from django.db.models import Count
from core.models import Group from core.models import Group
from core.views.forms import LoginForm from core.views.forms import LoginForm
from haystack.query import SearchQuerySet
def forbidden(request): def forbidden(request):
...@@ -176,6 +178,7 @@ class CanViewMixin(View): ...@@ -176,6 +178,7 @@ class CanViewMixin(View):
""" """
def dispatch(self, request, *arg, **kwargs): def dispatch(self, request, *arg, **kwargs):
try: try:
self.object = self.get_object() self.object = self.get_object()
if can_view(self.object, request.user): if can_view(self.object, request.user):
...@@ -184,13 +187,24 @@ class CanViewMixin(View): ...@@ -184,13 +187,24 @@ class CanViewMixin(View):
except: except:
pass pass
# If we get here, it's a ListView # If we get here, it's a ListView
l_id = [o.id for o in self.get_queryset() if can_view(o, request.user)] queryset = self.get_queryset()
if not l_id and self.get_queryset().count() != 0:
# Test if comes from a haystack query
if isinstance(queryset, SearchQuerySet):
l_id = [o.object.id for o in queryset if can_view(o.object, request.user)]
else:
l_id = [o.id for o in queryset if can_view(o, request.user)]
if not l_id and queryset.count() != 0:
raise PermissionDenied raise PermissionDenied
self._get_queryset = self.get_queryset self._get_queryset = self.get_queryset
def get_qs(self2): def get_qs(self2):
return self2._get_queryset().filter(id__in=l_id) q = self2._get_queryset()
# Test if comes from a haystack query
if isinstance(q, SearchQuerySet):
resp = [r.object for r in q if r.object.id in l_id]
return resp
return q.filter(id__in=l_id)
self.get_queryset = types.MethodType(get_qs, self) self.get_queryset = types.MethodType(get_qs, self)
return super(CanViewMixin, self).dispatch(request, *arg, **kwargs) return super(CanViewMixin, self).dispatch(request, *arg, **kwargs)
......
...@@ -331,9 +331,9 @@ class ForumMessage(models.Model): ...@@ -331,9 +331,9 @@ class ForumMessage(models.Model):
return user.can_edit(self.topic.forum) return user.can_edit(self.topic.forum)
def can_be_viewed_by(self, user): def can_be_viewed_by(self, user):
return ( return not self._deleted and self.topic.can_be_viewed_by(
not self._deleted user
) # No need to check the real rights since it's already done by the Topic view ) # Useful in search engine
def can_be_moderated_by(self, user): def can_be_moderated_by(self, user):
return self.topic.forum.is_owned_by(user) or user.id == self.author.id return self.topic.forum.is_owned_by(user) or user.id == self.author.id
......
...@@ -2,6 +2,7 @@ ...@@ -2,6 +2,7 @@
# #
# Copyright 2016,2017,2018 # Copyright 2016,2017,2018
# - Skia <skia@libskia.so> # - Skia <skia@libskia.so>
# - Sli <antoine@bartuccio.fr>
# #
# Ce fichier fait partie du site de l'Association des Étudiants de l'UTBM, # Ce fichier fait partie du site de l'Association des Étudiants de l'UTBM,
# http://ae.utbm.fr. # http://ae.utbm.fr.
...@@ -42,13 +43,13 @@ from forum.models import Forum, ForumMessage, ForumTopic, ForumMessageMeta ...@@ -42,13 +43,13 @@ from forum.models import Forum, ForumMessage, ForumTopic, ForumMessageMeta
from haystack.query import SearchQuerySet from haystack.query import SearchQuerySet
class ForumSearchView(ListView): class ForumSearchView(CanViewMixin, ListView):
template_name = "forum/search.jinja" template_name = "forum/search.jinja"
def get_queryset(self): def get_queryset(self):
query = self.request.GET.get("query", "") query = self.request.GET.get("query", "")
q = SearchQuerySet().models(ForumMessage).autocomplete(auto=query) return SearchQuerySet().models(ForumMessage).autocomplete(auto=query)
return [r.object for r in q] # return [r.object for r in q]
class ForumMainView(ListView): class ForumMainView(ListView):
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment