From b4d16740c963bd8f5eb9f1e0ecfcf242cbd61502 Mon Sep 17 00:00:00 2001
From: alxjsn <alexjasonleahu@gmail.com>
Date: Sun, 14 Aug 2016 20:30:21 -0700
Subject: [PATCH] Added check for PRIVATE_WIKI in search fuction. Without this
 there would be information disclosure.

---
 realms/modules/search/views.py | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/realms/modules/search/views.py b/realms/modules/search/views.py
index f94d27e..0938684 100644
--- a/realms/modules/search/views.py
+++ b/realms/modules/search/views.py
@@ -1,4 +1,5 @@
-from flask import render_template, request, Blueprint
+from flask import render_template, request, Blueprint, current_app
+from flask.ext.login import current_user
 from realms import search as search_engine
 
 blueprint = Blueprint('search', __name__)
@@ -6,5 +7,8 @@ blueprint = Blueprint('search', __name__)
 
 @blueprint.route('/_search')
 def search():
+    if current_app.config.get('PRIVATE_WIKI') and current_user.is_anonymous():
+        return current_app.login_manager.unauthorized()
+
     results = search_engine.wiki(request.args.get('q'))
     return render_template('search/search.html', results=results)