From 40b1a0b60abca3d86ded7c806fefbdcd298292b2 Mon Sep 17 00:00:00 2001
From: Adrian Moennich <adrian.moennich@cern.ch>
Date: Tue, 18 May 2021 11:24:31 +0200
Subject: [PATCH] Citadel: Move get_user_access to plugin

---
 citadel/indico_citadel/search.py |  6 +++---
 citadel/indico_citadel/util.py   | 15 +++++++++++++++
 2 files changed, 18 insertions(+), 3 deletions(-)

diff --git a/citadel/indico_citadel/search.py b/citadel/indico_citadel/search.py
index e62cd77..0a21cb6 100644
--- a/citadel/indico_citadel/search.py
+++ b/citadel/indico_citadel/search.py
@@ -16,7 +16,7 @@ from indico.modules.search.base import IndicoSearchProvider, SearchOption
 
 from indico_citadel import _
 from indico_citadel.result_schemas import CitadelResultSchema
-from indico_citadel.util import format_filters, format_query
+from indico_citadel.util import format_filters, format_query, get_user_access
 
 
 class CitadelProvider(IndicoSearchProvider):
@@ -28,7 +28,7 @@ class CitadelProvider(IndicoSearchProvider):
         self.backend_url = CitadelPlugin.settings.get('search_backend_url')
         self.records_url = url_join(self.backend_url, 'api/records/')
 
-    def search(self, query, access, page=1, object_types=(), **params):
+    def search(self, query, user=None, page=1, object_types=(), **params):
         # https://cern-search.docs.cern.ch/usage/operations/#query-documents
         # this token is used by the backend to authenticate and also to filter
         # the objects that we can actually read
@@ -48,7 +48,7 @@ class CitadelProvider(IndicoSearchProvider):
                          'type': [x.name for x in object_types], 'sort': sort, 'default_operator': operator,
                          **filter_query}
         # Filter by the objects that can be viewed by users/groups in the `access` argument
-        if access:
+        if access := get_user_access(user):
             access_string = ','.join(access)
             if len(access_string) > 1024:
                 access_string_gz = base64.b64encode(zlib.compress(access_string.encode(), level=9))
diff --git a/citadel/indico_citadel/util.py b/citadel/indico_citadel/util.py
index d000fed..8fa959c 100644
--- a/citadel/indico_citadel/util.py
+++ b/citadel/indico_citadel/util.py
@@ -13,6 +13,9 @@ from functools import wraps
 from flask import current_app
 from flask.globals import _app_ctx_stack
 
+from indico.modules.groups import GroupProxy
+from indico.util.caching import memoize_redis
+
 
 def parallelize(func, entries, batch_size=200):
     @wraps(func)
@@ -136,3 +139,15 @@ def remove_none_entries(obj):
     elif isinstance(obj, (list, tuple, set)):
         return type(obj)(map(remove_none_entries, obj))
     return obj
+
+
+@memoize_redis(3600)
+def get_user_access(user):
+    if not user:
+        return []
+    access = [user.identifier] + [u.identifier for u in user.get_merged_from_users_recursive()]
+    access += [GroupProxy(x.id, _group=x).identifier for x in user.local_groups]
+    if user.can_get_all_multipass_groups:
+        access += [GroupProxy(x.name, x.provider.name, x).identifier
+                   for x in user.iter_all_multipass_groups()]
+    return access