From 9a5003f92a151f5936c787b7d772fc2e196ce716 Mon Sep 17 00:00:00 2001 From: Mouse Reeve Date: Sun, 3 Oct 2021 09:18:17 -0700 Subject: [PATCH 1/4] Don't let anonymous users search remote data --- bookwyrm/views/search.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/bookwyrm/views/search.py b/bookwyrm/views/search.py index df891266..4c19a193 100644 --- a/bookwyrm/views/search.py +++ b/bookwyrm/views/search.py @@ -67,11 +67,11 @@ class Search(View): return TemplateResponse(request, f"search/{search_type}.html", data) -def book_search(query, _, min_confidence, search_remote=False): +def book_search(query, user, min_confidence, search_remote=False): """the real business is elsewhere""" # try a local-only search results = [{"results": search(query, min_confidence=min_confidence)}] - if results and not search_remote: + if not user.is_authenticated or (results and not search_remote): return results, False # if there were no local results, or the request was for remote, search all sources From 4787d854b836ed30003a9fafa8e3a89057e1b9ac Mon Sep 17 00:00:00 2001 From: Mouse Reeve Date: Sun, 3 Oct 2021 09:19:19 -0700 Subject: [PATCH 2/4] require auth on resolve book endpoint --- bookwyrm/views/books/books.py | 1 + 1 file changed, 1 insertion(+) diff --git a/bookwyrm/views/books/books.py b/bookwyrm/views/books/books.py index 9de647a2..298ba5a3 100644 --- a/bookwyrm/views/books/books.py +++ b/bookwyrm/views/books/books.py @@ -172,6 +172,7 @@ def add_description(request, book_id): return redirect("book", book.id) +@login_required @require_POST def resolve_book(request): """figure out the local path to a book from a remote_id""" From ca7967a3a376d2b71b7d4d8b0f4b6ae6c4687ec6 Mon Sep 17 00:00:00 2001 From: Mouse Reeve Date: Sun, 3 Oct 2021 09:29:24 -0700 Subject: [PATCH 3/4] Adds test for remote search for anonymous user --- bookwyrm/tests/views/test_search.py | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/bookwyrm/tests/views/test_search.py b/bookwyrm/tests/views/test_search.py index da35f557..3299249a 100644 --- a/bookwyrm/tests/views/test_search.py +++ b/bookwyrm/tests/views/test_search.py @@ -51,7 +51,7 @@ class Views(TestCase): data = json.loads(response.content) self.assertEqual(len(data), 1) self.assertEqual(data[0]["title"], "Test Book") - self.assertEqual(data[0]["key"], "https://%s/book/%d" % (DOMAIN, self.book.id)) + self.assertEqual(data[0]["key"], f"https://{DOMAIN}/book/{self.book.id}") def test_search_no_query(self): """just the search page""" @@ -91,12 +91,27 @@ class Views(TestCase): self.assertIsInstance(response, TemplateResponse) response.render() connector_results = response.context_data["results"] + self.assertEqual(len(connector_results), 2) self.assertEqual(connector_results[0]["results"][0].title, "Test Book") self.assertEqual( connector_results[1]["results"][0].title, "This Is How You Lose the Time War", ) + # don't search remote + request = self.factory.get("", {"q": "Test Book", "remote": True}) + anonymous_user = AnonymousUser + anonymous_user.is_authenticated = False + request.user = anonymous_user + with patch("bookwyrm.views.search.is_api_request") as is_api: + is_api.return_value = False + response = view(request) + self.assertIsInstance(response, TemplateResponse) + response.render() + connector_results = response.context_data["results"] + self.assertEqual(len(connector_results), 1) + self.assertEqual(connector_results[0]["results"][0].title, "Test Book") + def test_search_users(self): """searches remote connectors""" view = views.Search.as_view() From 9059b78b57601c0dcdf79732515ab0150d59f2dc Mon Sep 17 00:00:00 2001 From: Mouse Reeve Date: Sun, 3 Oct 2021 09:44:27 -0700 Subject: [PATCH 4/4] Fixes testing if endpoint got results --- bookwyrm/views/search.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bookwyrm/views/search.py b/bookwyrm/views/search.py index 4c19a193..33ce3706 100644 --- a/bookwyrm/views/search.py +++ b/bookwyrm/views/search.py @@ -71,7 +71,7 @@ def book_search(query, user, min_confidence, search_remote=False): """the real business is elsewhere""" # try a local-only search results = [{"results": search(query, min_confidence=min_confidence)}] - if not user.is_authenticated or (results and not search_remote): + if not user.is_authenticated or (results[0]["results"] and not search_remote): return results, False # if there were no local results, or the request was for remote, search all sources