Set partitions to private by default (inaccessible from search for other users)

This commit is contained in:
augustin64 2024-02-29 13:14:28 +01:00
parent 988f85b134
commit 40becb01ce
3 changed files with 51 additions and 3 deletions

View File

@ -17,6 +17,9 @@ DISABLE_REGISTER=False
# Disable account deletion for users (still possible for admins) # Disable account deletion for users (still possible for admins)
DISABLE_ACCOUNT_DELETION=False DISABLE_ACCOUNT_DELETION=False
# Set this to True if you want local search to be across all albums (not just those the user belong to)
PRIVATE_SEARCH=False
# Front URL of the application (for QRCodes generation) # Front URL of the application (for QRCodes generation)
BASE_URL="http://localhost:5000" BASE_URL="http://localhost:5000"

View File

@ -43,12 +43,18 @@ def search_page():
flash(_("Missing search query")) flash(_("Missing search query"))
return redirect("/albums") return redirect("/albums")
user = User(user_id=session.get("user_id"))
query = request.form["query"] query = request.form["query"]
nb_queries = abs(int(request.form["nb-queries"])) nb_queries = abs(int(request.form["nb-queries"]))
search.flush_cache(current_app.instance_path) search.flush_cache(current_app.instance_path)
partitions_local = search.local_search(query, utils.get_all_partitions())
user = User(user_id=session.get("user_id")) partitions_list = None
if current_app.config["PRIVATE_SEARCH"]:
partitions_list = utils.get_all_partitions()
else:
partitions_list = user.get_accessible_partitions()
partitions_local = search.local_search(query, partitions_list)
if nb_queries > 0: if nb_queries > 0:
if user.access_level != 1: if user.access_level != 1:

View File

@ -33,6 +33,7 @@ class User():
self.albums = None self.albums = None
self.groupes = None self.groupes = None
self.partitions = None self.partitions = None
self.accessible_partitions = None
self.max_queries = 0 self.max_queries = 0
db = get_db() db = get_db()
@ -169,6 +170,44 @@ class User():
).fetchall() ).fetchall()
return self.partitions return self.partitions
def get_accessible_partitions(self, force_reload=False):
if self.accessible_partitions is None or force_reload:
db = get_db()
if self.access_level == 1:
self.accessible_partitions = db.execute(
"""
SELECT * FROM partition
"""
).fetchall()
else:
self.accessible_partitions = db.execute(
"""
SELECT partition.uuid, partition.name,
partition.author, partition.body,
partition.user_id, partition.source
FROM partition
JOIN album
JOIN contient_partition
ON album.id=album_id
AND partition.uuid=partition_uuid
WHERE album.id IN (
SELECT album.id FROM album
JOIN contient_user
ON contient_user.user_id=?
AND album_id=album.id
UNION
SELECT album.id FROM album
JOIN groupe_contient_user
JOIN groupe_contient_album
ON groupe_contient_user.user_id=?
AND groupe_contient_album.album_id=album.id
AND groupe_contient_user.groupe_id=groupe_contient_album.groupe_id
)
""",
(self.id, self.id,),
).fetchall()
return self.accessible_partitions
def join_album(self, album_uuid): def join_album(self, album_uuid):
db = get_db() db = get_db()
album = Album(uuid=album_uuid) album = Album(uuid=album_uuid)