Added check for PRIVATE_WIKI in search fuction. Without this there would be information disclosure.
This commit is contained in:
parent
4a38e896eb
commit
b4d16740c9
|
@ -1,4 +1,5 @@
|
||||||
from flask import render_template, request, Blueprint
|
from flask import render_template, request, Blueprint, current_app
|
||||||
|
from flask.ext.login import current_user
|
||||||
from realms import search as search_engine
|
from realms import search as search_engine
|
||||||
|
|
||||||
blueprint = Blueprint('search', __name__)
|
blueprint = Blueprint('search', __name__)
|
||||||
|
@ -6,5 +7,8 @@ blueprint = Blueprint('search', __name__)
|
||||||
|
|
||||||
@blueprint.route('/_search')
|
@blueprint.route('/_search')
|
||||||
def search():
|
def search():
|
||||||
|
if current_app.config.get('PRIVATE_WIKI') and current_user.is_anonymous():
|
||||||
|
return current_app.login_manager.unauthorized()
|
||||||
|
|
||||||
results = search_engine.wiki(request.args.get('q'))
|
results = search_engine.wiki(request.args.get('q'))
|
||||||
return render_template('search/search.html', results=results)
|
return render_template('search/search.html', results=results)
|
||||||
|
|
Loading…
Reference in a new issue