Add permission check for search

73bbe508 · Hangzhi Yu · eefc706a · 73bbe508 · 73bbe508
Commit 73bbe508 authored 4 years ago by Hangzhi Yu
--- a/aleksis/core/urls.py
+++ b/aleksis/core/urls.py
@@ -9,6 +9,7 @@ from django.views.i18n import JavaScriptCatalog
 import calendarweek.django
 import debug_toolbar
 from django_js_reverse.views import urls_js
+from rules.contrib.views import permission_required
 from two_factor.urls import urlpatterns as tf_urls

 from . import views
@@ -41,7 +42,7 @@ urlpatterns = [
    path("announcement/edit/<int:pk>/", views.announcement_form, name="edit_announcement"),
    path("announcement/delete/<int:pk>/", views.delete_announcement, name="delete_announcement"),
    path("search/searchbar/", views.searchbar_snippets, name="searchbar_snippets"),
-    path("search/", include("haystack.urls")),
+    path("search/", views.PermissionSearchView(), name="haystack_search"),
    path("maintenance-mode/", include("maintenance_mode.urls")),
    path("impersonate/", include("impersonate.urls")),
    path("__i18n__/", include("django.conf.urls.i18n")),

--- a/aleksis/core/views.py
+++ b/aleksis/core/views.py
@@ -2,6 +2,7 @@ from importlib import import_module
 from typing import Optional

 from django.apps import apps
+from django.contrib.auth.mixins import PermissionRequiredMixin
 from django.core.exceptions import PermissionDenied
 from django.http import Http404, HttpRequest, HttpResponse
 from django.shortcuts import get_object_or_404, redirect, render
@@ -11,6 +12,7 @@ from django_tables2 import RequestConfig
 from guardian.shortcuts import get_objects_for_user
 from haystack.inputs import AutoQuery
 from haystack.query import SearchQuerySet
+from haystack.views import SearchView
 from rules.contrib.views import permission_required

 from .forms import (
@@ -364,3 +366,13 @@ def searchbar_snippets(request: HttpRequest) -> HttpResponse:
    context = {"results": results}

    return render(request, "search/searchbar_snippets.html", context)
+
+
+class PermissionSearchView(PermissionRequiredMixin, SearchView):
+    permission_required = "core.search"
+
+    def create_response(self):
+        context = self.get_context()
+        if not self.has_permission():
+            return self.handle_no_permission()
+        return render(self.request, self.template, context)