scl/szurubooru
1
0
Fork 0
mirror of https://github.com/rr-/szurubooru.git synced 2025-07-17 08:26:24 +00:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: scl:e7c75372444b6a747f032fc1aadfc57d65ac6860
Branches Tags
scl:master scl:dependabot/npm_and_yarn/client/browserify-sign-4.2.2 scl:1.x scl:0.x
scl:2.5 scl:2.4 scl:2.3 scl:2.2 scl:2.1 scl:2.0 scl:2.0-beta scl:1.1.0 scl:1.0.2 scl:1.0.1 scl:1.0.0 scl:0.8.0 scl:0.7.1 scl:0.7.0 scl:0.6.1 scl:0.6.0 scl:0.5.0 scl:0.4.1 scl:0.4.0 scl:0.3.0 scl:0.2.0 scl:0.1.0
...
compare: scl:1ef928038f5fe7503832fc24d1517a8097de7c82
Branches Tags
scl:master scl:dependabot/npm_and_yarn/client/browserify-sign-4.2.2 scl:1.x scl:0.x
scl:2.5 scl:2.4 scl:2.3 scl:2.2 scl:2.1 scl:2.0 scl:2.0-beta scl:1.1.0 scl:1.0.2 scl:1.0.1 scl:1.0.0 scl:0.8.0 scl:0.7.1 scl:0.7.0 scl:0.6.1 scl:0.6.0 scl:0.5.0 scl:0.4.1 scl:0.4.0 scl:0.3.0 scl:0.2.0 scl:0.1.0

3 Commits
e7c7537244 ... 1ef928038f

Author SHA1 Message Date
Ilia Tetin
1ef928038f Merge 33a3807369 into 376f687c38 2025-03-26 19:15:36 +00:00
Ilia Tetin
33a3807369 Merge pull request #2 from po5/priv-view-unsafe-posts 
server: prevent cache key collision
 2025-03-26 19:15:33 +00:00
Eva
928f949e9e server: prevent cache key collision 
Since search queries get cached, when a search performed by a
privileged user is repeated by an unprivileged user, they will receive
a listing that erroneously includes unsafe posts. The same is true the
other way around, a tag search that is first performed by an anonymous
user will cause any hidden posts for that query to not show up for the
logged in user. This is because the initial search claims the cache key.
 2025-03-25 18:12:43 +01:00
2 changed files with 9 additions and 1 deletions
Expand all files Collapse all files

5
server/szurubooru/search/configs/post_search_config.py
View File

@ -228,6 +228,11 @@ class PostSearchConfig(BaseSearchConfig):
) )
return query.order_by(model.Post.post_id.desc()) return query.order_by(model.Post.post_id.desc())
@property
def can_list_unsafe(self) -> bool:
return self.user and auth.has_privilege(self.user, "posts:list:unsafe")
@property @property
def id_column(self) -> SaColumn: def id_column(self) -> SaColumn:
return model.Post.post_id return model.Post.post_id

5
server/szurubooru/search/executor.py
View File

@ -93,7 +93,10 @@ class Executor:
if token.name == "random": if token.name == "random":
disable_eager_loads = True disable_eager_loads = True
key = (id(self.config), hash(search_query), offset, limit)
can_list_unsafe = getattr(self.config, "can_list_unsafe", False)
key = (id(self.config), hash(search_query), offset, limit, can_list_unsafe)
if cache.has(key): if cache.has(key):
return cache.get(key) return cache.get(key)