From 1ff1ffceb9a1b6ed6c2bd9bbf8f8f55b8fe8a198 Mon Sep 17 00:00:00 2001
From: Lars Wirzenius <liw@liw.fi>
Date: Sat, 17 Nov 2018 19:38:05 +0200
Subject: Fix: only return search hits that are showable

---
 muck_poc | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/muck_poc b/muck_poc
index 85278ea..edf59e7 100755
--- a/muck_poc
+++ b/muck_poc
@@ -153,11 +153,26 @@ class MuckAPI:
         return self._create_response(200, 'delete', meta, res)
 
     def _search_res(self, claims):
+        def is_showble(rid):
+            try:
+                meta, res = self._get_existing(rid)
+            except bottle.HTTPError as e:
+                return False
+            return self._access_is_allowed(meta, claims):
+
         body = self._get_json_body()
         cond = body.get('cond')
         ms = self._store.get_memory_store()
+
+        hits = ms.search(cond)
+        hits = [
+            rid
+            for rid in ms.search(cond)
+            if is_showable(rid)
+        ]
+
         result = {
-            'resources': ms.search(cond),
+            'resources': hits,
         }
         return bottle.HTTPResponse(status=200, body=json.dumps(result))
 
-- 
cgit v1.2.1