klmp200/Sith
1
0
Fork 0
mirror of https://github.com/ae-utbm/sith.git synced 2024-11-22 22:23:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

forum and core: add a dedicated mixin to exclude unauthorized search results

Browse Source
This commit is contained in:
Antoine Bartuccio 2018-12-07 11:36:24 +01:00 committed by Skia
parent 3fdb83c1c2
commit 076b10e325
2 changed files with 33 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
core/views/__init__.py
View File

@ -189,27 +189,41 @@ class CanViewMixin(View):
# If we get here, it's a ListView # If we get here, it's a ListView
queryset = self.get_queryset() queryset = self.get_queryset()
# Test if comes from a haystack query l_id = [o.id for o in queryset if can_view(o, request.user)]
if isinstance(queryset, SearchQuerySet):
l_id = [o.object.id for o in queryset if can_view(o.object, request.user)]
else:
l_id = [o.id for o in queryset if can_view(o, request.user)]
if not l_id and queryset.count() != 0: if not l_id and queryset.count() != 0:
raise PermissionDenied raise PermissionDenied
self._get_queryset = self.get_queryset self._get_queryset = self.get_queryset
def get_qs(self2): def get_qs(self2):
q = self2._get_queryset() return self._get_queryset().filter(id__in=l_id)
# Test if comes from a haystack query
if isinstance(q, SearchQuerySet):
resp = [r.object for r in q if r.object.id in l_id]
return resp
return q.filter(id__in=l_id)
self.get_queryset = types.MethodType(get_qs, self) self.get_queryset = types.MethodType(get_qs, self)
return super(CanViewMixin, self).dispatch(request, *arg, **kwargs) return super(CanViewMixin, self).dispatch(request, *arg, **kwargs)
class CanViewSearchMixin(View):
"""
This view removes all forbidden content from a SearchQuerySet
"""
def dispatch(self, request, *arg, **kwargs):
queryset = self.get_queryset()
excluded = [
o.object.id for o in queryset if not can_view(o.object, request.user)
]
self._queryset = queryset
def get_qs(self2):
q = self2._queryset.exclude(id__in=excluded)
resp = [r.object for r in q]
return resp
self.get_queryset = types.MethodType(get_qs, self)
return super(CanViewSearchMixin, self).dispatch(request, *arg, **kwargs)
class FormerSubscriberMixin(View): class FormerSubscriberMixin(View):
""" """
This view check if the user was at least an old subscriber This view check if the user was at least an old subscriber

11
forum/views.py
View File

@ -37,19 +37,24 @@ from django.core.paginator import Paginator, EmptyPage, PageNotAnInteger
from ajax_select import make_ajax_field from ajax_select import make_ajax_field
from core.views import CanViewMixin, CanEditMixin, CanEditPropMixin, CanCreateMixin from core.views import (
CanViewMixin,
CanEditMixin,
CanEditPropMixin,
CanCreateMixin,
CanViewSearchMixin,
)
from core.views.forms import MarkdownInput from core.views.forms import MarkdownInput
from forum.models import Forum, ForumMessage, ForumTopic, ForumMessageMeta from forum.models import Forum, ForumMessage, ForumTopic, ForumMessageMeta
from haystack.query import SearchQuerySet from haystack.query import SearchQuerySet
class ForumSearchView(CanViewMixin, ListView): class ForumSearchView(CanViewSearchMixin, ListView):
template_name = "forum/search.jinja" template_name = "forum/search.jinja"
def get_queryset(self): def get_queryset(self):
query = self.request.GET.get("query", "") query = self.request.GET.get("query", "")
return SearchQuerySet().models(ForumMessage).autocomplete(auto=query) return SearchQuerySet().models(ForumMessage).autocomplete(auto=query)
# return [r.object for r in q]
class ForumMainView(ListView): class ForumMainView(ListView):