Set partitions to private by default (inaccessible from search for other users)

default_config.py

@@ -17,6 +17,9 @@ DISABLE_REGISTER=False
 # Disable account deletion for users (still possible for admins)
 DISABLE_ACCOUNT_DELETION=False
 
+# Set this to True if you want local search to be across all albums (not just those the user belong to)
+PRIVATE_SEARCH=False
+
 # Front URL of the application (for QRCodes generation)
 BASE_URL="http://localhost:5000"
 

partitioncloud/modules/albums.py

@@ -43,12 +43,18 @@ def search_page():
         flash(_("Missing search query"))
         return redirect("/albums")
 
+    user = User(user_id=session.get("user_id"))
+
     query = request.form["query"]
     nb_queries = abs(int(request.form["nb-queries"]))
     search.flush_cache(current_app.instance_path)
-    partitions_local = search.local_search(query, utils.get_all_partitions())
+    
-
+    partitions_list = None
-    user = User(user_id=session.get("user_id"))
+    if current_app.config["PRIVATE_SEARCH"]:
+        partitions_list = utils.get_all_partitions()
+    else:
+        partitions_list = user.get_accessible_partitions()
+    partitions_local = search.local_search(query, partitions_list)
 
     if nb_queries > 0:
         if user.access_level != 1:

partitioncloud/modules/classes/user.py

@@ -33,6 +33,7 @@ class User():
         self.albums = None
         self.groupes = None
         self.partitions = None
+        self.accessible_partitions = None
         self.max_queries = 0
 
         db = get_db()
@@ -169,6 +170,44 @@ class User():
                 ).fetchall()
         return self.partitions
 
+    def get_accessible_partitions(self, force_reload=False):
+        if self.accessible_partitions is None or force_reload:
+            db = get_db()
+            if self.access_level == 1:
+                self.accessible_partitions = db.execute(
+                    """
+                    SELECT * FROM partition
+                    """
+                ).fetchall()
+            else:
+                self.accessible_partitions = db.execute(
+                    """
+                    SELECT partition.uuid, partition.name,
+                        partition.author, partition.body,
+                        partition.user_id, partition.source
+                    FROM partition
+                        JOIN album
+                        JOIN contient_partition
+                        ON album.id=album_id
+                        AND partition.uuid=partition_uuid
+                    WHERE album.id IN (
+                        SELECT album.id FROM album
+                        JOIN contient_user
+                        ON contient_user.user_id=?
+                        AND album_id=album.id
+                    UNION
+                        SELECT album.id FROM album
+                        JOIN groupe_contient_user
+                        JOIN groupe_contient_album
+                        ON groupe_contient_user.user_id=?
+                        AND groupe_contient_album.album_id=album.id
+                        AND groupe_contient_user.groupe_id=groupe_contient_album.groupe_id
+                    )
+                    """,
+                    (self.id, self.id,),
+                ).fetchall()
+        return self.accessible_partitions
+
     def join_album(self, album_uuid):
         db = get_db()
         album = Album(uuid=album_uuid)