From 73bbe508074dd4bef04bbf9604957795b1088ba1 Mon Sep 17 00:00:00 2001
From: Hangzhi <hangzhi@protonmail.com>
Date: Wed, 22 Apr 2020 22:14:21 +0200
Subject: [PATCH] Add permission check for search

---
 aleksis/core/urls.py  |  3 ++-
 aleksis/core/views.py | 12 ++++++++++++
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/aleksis/core/urls.py b/aleksis/core/urls.py
index 5de76472c..6c1648ee4 100644
--- a/aleksis/core/urls.py
+++ b/aleksis/core/urls.py
@@ -9,6 +9,7 @@ from django.views.i18n import JavaScriptCatalog
 import calendarweek.django
 import debug_toolbar
 from django_js_reverse.views import urls_js
+from rules.contrib.views import permission_required
 from two_factor.urls import urlpatterns as tf_urls
 
 from . import views
@@ -41,7 +42,7 @@ urlpatterns = [
     path("announcement/edit/<int:pk>/", views.announcement_form, name="edit_announcement"),
     path("announcement/delete/<int:pk>/", views.delete_announcement, name="delete_announcement"),
     path("search/searchbar/", views.searchbar_snippets, name="searchbar_snippets"),
-    path("search/", include("haystack.urls")),
+    path("search/", views.PermissionSearchView(), name="haystack_search"),
     path("maintenance-mode/", include("maintenance_mode.urls")),
     path("impersonate/", include("impersonate.urls")),
     path("__i18n__/", include("django.conf.urls.i18n")),
diff --git a/aleksis/core/views.py b/aleksis/core/views.py
index 834443550..151852d84 100644
--- a/aleksis/core/views.py
+++ b/aleksis/core/views.py
@@ -2,6 +2,7 @@ from importlib import import_module
 from typing import Optional
 
 from django.apps import apps
+from django.contrib.auth.mixins import PermissionRequiredMixin
 from django.core.exceptions import PermissionDenied
 from django.http import Http404, HttpRequest, HttpResponse
 from django.shortcuts import get_object_or_404, redirect, render
@@ -11,6 +12,7 @@ from django_tables2 import RequestConfig
 from guardian.shortcuts import get_objects_for_user
 from haystack.inputs import AutoQuery
 from haystack.query import SearchQuerySet
+from haystack.views import SearchView
 from rules.contrib.views import permission_required
 
 from .forms import (
@@ -364,3 +366,13 @@ def searchbar_snippets(request: HttpRequest) -> HttpResponse:
     context = {"results": results}
 
     return render(request, "search/searchbar_snippets.html", context)
+
+
+class PermissionSearchView(PermissionRequiredMixin, SearchView):
+    permission_required = "core.search"
+
+    def create_response(self):
+        context = self.get_context()
+        if not self.has_permission():
+            return self.handle_no_permission()
+        return render(self.request, self.template, context)
-- 
GitLab