server: prevent cache key collision

Since search queries get cached, when a search performed by a privileged user is repeated by an unprivileged user, they will receive a listing that erroneously includes unsafe posts. The same is true the other way around, a tag search that is first performed by an anonymous user will cause any hidden posts for that query to not show up for the logged in user. This is because the initial search claims the cache key.
2025-07-17 08:26:24 +00:00 · 2025-03-25 17:52:58 +01:00
parent 7e09f39cb9
commit 928f949e9e
2 changed files with 9 additions and 1 deletions
--- a/server/szurubooru/search/configs/post_search_config.py
+++ b/server/szurubooru/search/configs/post_search_config.py
@ -228,6 +228,11 @@ class PostSearchConfig(BaseSearchConfig):
            )
        return query.order_by(model.Post.post_id.desc())

+
+    @property
+    def can_list_unsafe(self) -> bool:
+        return self.user and auth.has_privilege(self.user, "posts:list:unsafe")
+
    @property
    def id_column(self) -> SaColumn:
        return model.Post.post_id
--- a/server/szurubooru/search/executor.py
+++ b/server/szurubooru/search/executor.py
@ -93,7 +93,10 @@ class Executor:
            if token.name == "random":
                disable_eager_loads = True

-        key = (id(self.config), hash(search_query), offset, limit)
+
+        can_list_unsafe = getattr(self.config, "can_list_unsafe", False)
+
+        key = (id(self.config), hash(search_query), offset, limit, can_list_unsafe)
        if cache.has(key):
            return cache.get(key)