From b4d16740c963bd8f5eb9f1e0ecfcf242cbd61502 Mon Sep 17 00:00:00 2001 From: alxjsn Date: Sun, 14 Aug 2016 20:30:21 -0700 Subject: [PATCH] Added check for PRIVATE_WIKI in search fuction. Without this there would be information disclosure. --- realms/modules/search/views.py | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/realms/modules/search/views.py b/realms/modules/search/views.py index f94d27e..0938684 100644 --- a/realms/modules/search/views.py +++ b/realms/modules/search/views.py @@ -1,4 +1,5 @@ -from flask import render_template, request, Blueprint +from flask import render_template, request, Blueprint, current_app +from flask.ext.login import current_user from realms import search as search_engine blueprint = Blueprint('search', __name__) @@ -6,5 +7,8 @@ blueprint = Blueprint('search', __name__) @blueprint.route('/_search') def search(): + if current_app.config.get('PRIVATE_WIKI') and current_user.is_anonymous(): + return current_app.login_manager.unauthorized() + results = search_engine.wiki(request.args.get('q')) return render_template('search/search.html', results=results)