Set partitions to private by default (inaccessible from search for other users)

2025-01-23 09:16:25 +01:00 · 2024-02-29 13:14:28 +01:00 · 2024-02-29 13:14:28 +01:00 · 40becb01ce
commit 40becb01ce
parent 988f85b134
3 changed files with 51 additions and 3 deletions
--- a/default_config.py
+++ b/default_config.py
@ -17,6 +17,9 @@ DISABLE_REGISTER=False
 # Disable account deletion for users (still possible for admins)
 DISABLE_ACCOUNT_DELETION=False

+# Set this to True if you want local search to be across all albums (not just those the user belong to)
+PRIVATE_SEARCH=False
+
 # Front URL of the application (for QRCodes generation)
 BASE_URL="http://localhost:5000"

--- a/partitioncloud/modules/albums.py
+++ b/partitioncloud/modules/albums.py
@ -43,12 +43,18 @@ def search_page():
        flash(_("Missing search query"))
        return redirect("/albums")

+    user = User(user_id=session.get("user_id"))
+
    query = request.form["query"]
    nb_queries = abs(int(request.form["nb-queries"]))
    search.flush_cache(current_app.instance_path)
-    partitions_local = search.local_search(query, utils.get_all_partitions())
    
-    user = User(user_id=session.get("user_id"))
+    partitions_list = None
+    if current_app.config["PRIVATE_SEARCH"]:
+        partitions_list = utils.get_all_partitions()
+    else:
+        partitions_list = user.get_accessible_partitions()
+    partitions_local = search.local_search(query, partitions_list)

    if nb_queries > 0:
        if user.access_level != 1:
--- a/partitioncloud/modules/classes/user.py
+++ b/partitioncloud/modules/classes/user.py
@ -33,6 +33,7 @@ class User():
        self.albums = None
        self.groupes = None
        self.partitions = None
+        self.accessible_partitions = None
        self.max_queries = 0

        db = get_db()
@ -169,6 +170,44 @@ class User():
                ).fetchall()
        return self.partitions

+    def get_accessible_partitions(self, force_reload=False):
+        if self.accessible_partitions is None or force_reload:
+            db = get_db()
+            if self.access_level == 1:
+                self.accessible_partitions = db.execute(
+                    """
+                    SELECT * FROM partition
+                    """
+                ).fetchall()
+            else:
+                self.accessible_partitions = db.execute(
+                    """
+                    SELECT partition.uuid, partition.name,
+                        partition.author, partition.body,
+                        partition.user_id, partition.source
+                    FROM partition
+                        JOIN album
+                        JOIN contient_partition
+                        ON album.id=album_id
+                        AND partition.uuid=partition_uuid
+                    WHERE album.id IN (
+                        SELECT album.id FROM album
+                        JOIN contient_user
+                        ON contient_user.user_id=?
+                        AND album_id=album.id
+                    UNION
+                        SELECT album.id FROM album
+                        JOIN groupe_contient_user
+                        JOIN groupe_contient_album
+                        ON groupe_contient_user.user_id=?
+                        AND groupe_contient_album.album_id=album.id
+                        AND groupe_contient_user.groupe_id=groupe_contient_album.groupe_id
+                    )
+                    """,
+                    (self.id, self.id,),
+                ).fetchall()
+        return self.accessible_partitions
+
    def join_album(self, album_uuid):
        db = get_db()
        album = Album(uuid=album_uuid)