Support owner and object permissions for advanced queries

2025-04-02 13:45:10 -05:00 · 2022-12-12 22:34:38 -08:00 · 2022-12-12 22:34:38 -08:00 · 4cf9ed9d26
commit 4cf9ed9d26
parent f8b77d7ef7
3 changed files with 32 additions and 5 deletions
--- a/src/documents/index.py
+++ b/src/documents/index.py
@ -6,6 +6,7 @@ from contextlib import contextmanager
 from dateutil.parser import isoparse
 from django.conf import settings
 from documents.models import Document
+from guardian.shortcuts import get_users_with_perms
 from whoosh import classify
 from whoosh import highlight
 from whoosh import query
@ -49,6 +50,10 @@ def get_schema():
        path=TEXT(sortable=True),
        path_id=NUMERIC(),
        has_path=BOOLEAN(),
+        owner=TEXT(),
+        owner_id=NUMERIC(),
+        has_owner=BOOLEAN(),
+        viewer_id=KEYWORD(commas=True),
    )


@ -90,6 +95,11 @@ def open_index_searcher():
 def update_document(writer, doc):
    tags = ",".join([t.name for t in doc.tags.all()])
    tags_ids = ",".join([str(t.id) for t in doc.tags.all()])
+    users_with_perms = get_users_with_perms(
+        doc,
+        only_with_perms_in=["view_document"],
+    )
+    viewer_ids = ",".join([str(u.id) for u in users_with_perms])
    writer.update_document(
        id=doc.pk,
        title=doc.title,
@ -110,6 +120,10 @@ def update_document(writer, doc):
        path=doc.storage_path.name if doc.storage_path else None,
        path_id=doc.storage_path.id if doc.storage_path else None,
        has_path=doc.storage_path is not None,
+        owner=doc.owner.username if doc.owner else None,
+        owner_id=doc.owner.id if doc.owner else None,
+        has_owner=doc.owner is not None,
+        viewer_id=viewer_ids if viewer_ids else None,
    )


@ -168,10 +182,17 @@ class DelayedQuery:
            elif k == "storage_path__isnull":
                criterias.append(query.Term("has_path", v == "false"))

+        user_criterias = [query.Term("has_owner", False)]
+        if "user" in self.query_params:
+            user_criterias.append(query.Term("owner_id", self.query_params["user"]))
+            user_criterias.append(
+                query.Term("viewer_id", str(self.query_params["user"])),
+            )
        if len(criterias) > 0:
+            criterias.append(query.Or(user_criterias))
            return query.And(criterias)
        else:
-            return None
+            return query.Or(user_criterias)

    def _get_query_sortedby(self):
        if "ordering" not in self.query_params:
--- a/src/documents/serialisers.py
+++ b/src/documents/serialisers.py
@ -341,7 +341,7 @@ class StoragePathField(serializers.PrimaryKeyRelatedField):
        return StoragePath.objects.all()


-class DocumentSerializer(DynamicFieldsModelSerializer, OwnedObjectSerializer):
+class DocumentSerializer(OwnedObjectSerializer, DynamicFieldsModelSerializer):

    correspondent = CorrespondentField(allow_null=True)
    tags = TagsField(many=True)
--- a/src/documents/views.py
+++ b/src/documents/views.py
@ -221,12 +221,12 @@ class DocumentTypeViewSet(ModelViewSet, PassUserMixin):


 class DocumentViewSet(
+    PassUserMixin,
    RetrieveModelMixin,
    UpdateModelMixin,
    DestroyModelMixin,
    ListModelMixin,
    GenericViewSet,
-    PassUserMixin,
 ):
    model = Document
    queryset = Document.objects.all()
@ -256,6 +256,7 @@ class DocumentViewSet(
        return Document.objects.distinct()

    def get_serializer(self, *args, **kwargs):
+        super().get_serializer(*args, **kwargs)
        fields_param = self.request.query_params.get("fields", None)
        if fields_param:
            fields = fields_param.split(",")
@ -263,7 +264,6 @@ class DocumentViewSet(
            fields = None
        truncate_content = self.request.query_params.get("truncate_content", "False")
        serializer_class = self.get_serializer_class()
-        kwargs.setdefault("user", self.request.user)  # PassUserMixin
        kwargs.setdefault("context", self.get_serializer_context())
        kwargs.setdefault("fields", fields)
        kwargs.setdefault("truncate_content", truncate_content.lower() in ["true", "1"])
@ -491,7 +491,7 @@ class DocumentViewSet(
        )


-class SearchResultSerializer(DocumentSerializer):
+class SearchResultSerializer(DocumentSerializer, PassUserMixin):
    def to_representation(self, instance):
        doc = Document.objects.get(id=instance["id"])
        r = super().to_representation(doc)
@ -527,6 +527,12 @@ class UnifiedSearchViewSet(DocumentViewSet):
        if self._is_search_request():
            from documents import index

+            if hasattr(self.request, "user"):
+                # pass user to query for perms
+                self.request.query_params._mutable = True
+                self.request.query_params["user"] = self.request.user.id
+                self.request.query_params._mutable = False
+
            if "query" in self.request.query_params:
                query_class = index.DelayedFullTextQuery
            elif "more_like_id" in self.request.query_params: