Implement hashing bypass for groups

2022-08-16 19:43:55 +01:00
parent e67eee8cc8
commit e08a7677ef
11 changed files with 123 additions and 63 deletions
--- a/core/views/ui/drilldown.py
+++ b/core/views/ui/drilldown.py
@@ -106,7 +106,7 @@ def drilldown_search(request, return_context=False, template=None):
    query_params.update(tmp_get)

    if "index" in query_params:
-        if not request.user.is_superuser:
+        if not request.user.is_superuser and not query_params["index"] == "main":
            message = "You can't use the index parameter"
            message_class = "danger"
            context = {"message": message, "class": message_class}
@@ -253,7 +253,7 @@ class DrilldownContextModal(APIView):
            self.template_name = "modals/context_table.html"

        size = 20
-        nicks = None
+        nicks_sensitive = None
        query = False
        # Create the query params from the POST arguments
        mandatory = ["net", "channel", "num", "src", "index", "nick", "type", "mtype"]
@@ -272,51 +272,57 @@ class DrilldownContextModal(APIView):
        if settings.HASHING:
            SAFE_PARAMS = deepcopy(query_params)
            hash_lookup(SAFE_PARAMS)
+        else:
+            SAFE_PARAMS = query_params

        type = None
-        # SUPERUSER BLOCK #
        if request.user.is_superuser:
-            if "type" in SAFE_PARAMS:
-                type = SAFE_PARAMS["type"]
+            if "type" in query_params:
+                type = query_params["type"]
                if type == "znc":
+                    query_params["channel"] = "*status"
                    SAFE_PARAMS["channel"] = "*status"

            if type in ["query", "notice"]:
-                nicks = [SAFE_PARAMS["channel"], SAFE_PARAMS["nick"]]
+                nicks_sensitive = [
+                    SAFE_PARAMS["channel"],
+                    SAFE_PARAMS["nick"],
+                ]  # UNSAFE
+                # nicks = [query_params["channel"], query_params["nick"]]
                query = True

            if (
-                SAFE_PARAMS["index"] == "int"
-                and SAFE_PARAMS["mtype"] == "msg"
+                query_params["index"] == "int"
+                and query_params["mtype"] == "msg"
                and not type == "query"
            ):
+                query_params["index"] = "main"
                SAFE_PARAMS["index"] = "main"

-            if SAFE_PARAMS["type"] in ["znc", "auth"]:
+            if query_params["type"] in ["znc", "auth"]:
                query = True

-        # SUPERUSER BLOCK #
-
        if not request.user.is_superuser:
-            if "index" in SAFE_PARAMS:
-                SAFE_PARAMS["index"] = "main"
+            query_params["index"] = "main"
+            SAFE_PARAMS["index"] = "main"

-        SAFE_PARAMS["sorting"] = "desc"
+        query_params["sorting"] = "desc"
+        SAFE_PARAMS["index"] = "main"

        annotate = False
-        if SAFE_PARAMS["src"] == "irc":
-            if SAFE_PARAMS["type"] in ["query", "notice", "msg", "highlight"]:
+        if query_params["src"] == "irc":
+            if query_params["type"] not in ["znc", "auth"]:
                annotate = True
        # Create the query with the context helper
        search_query = construct_query(
-            SAFE_PARAMS["index"],
+            query_params["index"],
            SAFE_PARAMS["net"],
            SAFE_PARAMS["channel"],
-            SAFE_PARAMS["src"],
+            query_params["src"],
            SAFE_PARAMS["num"],
            size,
            type=type,
-            nicks=nicks,
+            nicks=nicks_sensitive,
        )

        results = query_results(
@@ -331,10 +337,18 @@ class DrilldownContextModal(APIView):
        if "message" in results:
            return render(request, self.template_name, results)

+        if settings.HASHING:  # we probably want to see the tokens
+            if not request.user.has_perm("bypass_hashing"):
+                for index, item in enumerate(results["object_list"]):
+                    if "tokens" in item:
+                        results["object_list"][index]["msg"] = results["object_list"][
+                            index
+                        ].pop("tokens")
+                        # item["msg"] = item.pop("tokens")
+
        # Make the time nicer
        # for index, item in enumerate(results["object_list"]):
        #    results["object_list"][index]["time"] = item["time"]+"SSS"
-
        context = {
            "net": query_params["net"],
            "channel": query_params["channel"],
@@ -396,18 +410,17 @@ class ThresholdInfoModal(APIView):
            inter_chans = get_chans(safe_net, users)
        else:
            inter_chans = []
-        hash_list(inter_chans)
-        hash_list(inter_users)
+        hash_list(request.user, inter_chans)
+        hash_list(request.user, inter_users)

-        hash_list(num_chans, hash_keys=True)
-        hash_list(num_users, hash_keys=True)
+        hash_list(request.user, num_chans, hash_keys=True)
+        hash_list(request.user, num_users, hash_keys=True)

-        hash_list(channels)
-        hash_list(users)
+        hash_list(request.user, channels)
+        hash_list(request.user, users)

        # SAFE BLOCK END #
-        nick = nick.replace("|", "")
-        channel = channel.replace("|", "")
+
        context = {
            "net": net,
            "nick": nick,