Added check for PRIVATE_WIKI in search fuction. Without this there would be information disclosure.

This commit is contained in:
alxjsn 2016-08-14 20:30:21 -07:00
parent 4a38e896eb
commit b4d16740c9

View file

@ -1,4 +1,5 @@
from flask import render_template, request, Blueprint from flask import render_template, request, Blueprint, current_app
from flask.ext.login import current_user
from realms import search as search_engine from realms import search as search_engine
blueprint = Blueprint('search', __name__) blueprint = Blueprint('search', __name__)
@ -6,5 +7,8 @@ blueprint = Blueprint('search', __name__)
@blueprint.route('/_search') @blueprint.route('/_search')
def search(): def search():
if current_app.config.get('PRIVATE_WIKI') and current_user.is_anonymous():
return current_app.login_manager.unauthorized()
results = search_engine.wiki(request.args.get('q')) results = search_engine.wiki(request.args.get('q'))
return render_template('search/search.html', results=results) return render_template('search/search.html', results=results)