sveetch
commented
9 months ago In current API branch, it has been fixed with changing get_related to this:
def get_related(self, filter_func=None):
"""
Return article related articles.
.. Warning::
On default without ``filter_func`` defined this won't apply any
publication criteria, only the language filtering.
You would need to give it a proper filtering function to ensure about
results.
TODO: Concretely for now, the 'filter_func' is not used in HTML frontend but it
should, either from a variable context or a template tag.
Keyword Arguments:
filter_func (function): A function used to create a queryset for related
articles filtered. It has been done to be given
``ArticleFilterMixin.apply_article_lookups`` so any other given
function should at least expect the same arguments.
Returns:
queryset: List of related articles.
"""
if filter_func:
q = filter_func(self.related, self.language)
else:
q = self.related.get_for_lang(self.language)
return q.order_by(*self.COMMON_ORDER_BY)Because Article serializer have the same issue. So it will be ready once API has been released, then we will have to implement it in template either with a template tag or in view context
Describe the bug
Method
get_related()from Article model is not safe against publication criteria although this method is used from Article detail template.This is a critical bug.
Environment
To Reproduce Steps to reproduce the behavior:
Expected behavior
At least, related article list should respect all publication criteria (private, draft, publication end, etc..).
Either we use another method around
Article.get_related()or we improve it to accept required argument to perform publication criteria.