Prevent matches from unrelated models from leaking into SQLite FTS searches

Fixes #10188
2023-03-08 16:45:33 +00:00 · 2023-03-08 16:45:33 +00:00 · ab05be3bb2
commit ab05be3bb2
--- a/CHANGELOG.txt
+++ b/CHANGELOG.txt
@ -34,6 +34,7 @@ Changelog
 * Fix: Fix timezone activation leaking into subsequent requests in `require_admin_access()` (Stefan Hammer)
 * Fix: Fix dialog component's message to have rounded corners at the top side (Sam)
 * Fix: When multiple documents are uploaded and then subsequently updated, ensure that existing success messages are cleared correctly (Aman Pandey)
+ * Fix: Prevent matches from unrelated models from leaking into SQLite FTS searches (Matt Westcott)
 * Docs: Add code block to make it easier to understand contribution docs (Suyash Singh)
 * Docs: Add new "Icons" page for icons customisation and reuse across the admin interface (Coen van der Kamp)
 * Docs: Fix broken formatting for MultiFieldPanel / FieldRowPanel permission kwarg docs (Matt Westcott)
@ -75,6 +76,7 @@ Changelog
 * Fix: Add missing log information for `wagtail.schedule.cancel` (Stefan Hammer)
 * Fix: Fix timezone activation leaking into subsequent requests in `require_admin_access()` (Stefan Hammer)
 * Fix: Fix dialog component's message to have rounded corners at the top side (Sam)
+ * Fix: Prevent matches from unrelated models from leaking into SQLite FTS searches (Matt Westcott)


 4.2 (06.02.2023)
@ -237,6 +239,9 @@ Changelog
 * Fix: Support creating `StructValue` copies (Tidiane Dia)
 * Fix: Fix "Edit this page" missing from userbar (Satvik Vashisht)
 * Fix: Prevent audit log report from failing on missing models (Andy Chosak)
+ * Fix: Add missing log information for `wagtail.schedule.cancel` (Stefan Hammer)
+ * Fix: Fix timezone activation leaking into subsequent requests in `require_admin_access()` (Stefan Hammer)
+ * Fix: Prevent matches from unrelated models from leaking into SQLite FTS searches (Matt Westcott)


 4.1.2 (06.02.2023)
--- a/docs/releases/4.1.3.md
+++ b/docs/releases/4.1.3.md
@ -21,3 +21,4 @@ depth: 1
 * Prevent audit log report from failing on missing models (Andy Chosak)
 * Add missing log information for `wagtail.schedule.cancel` (Stefan Hammer)
 * Fix timezone activation leaking into subsequent requests in `require_admin_access()` (Stefan Hammer)
+ * Prevent matches from unrelated models from leaking into SQLite FTS searches (Matt Westcott)
--- a/docs/releases/4.2.1.md
+++ b/docs/releases/4.2.1.md
@ -21,3 +21,4 @@ depth: 1
 * Add missing log information for `wagtail.schedule.cancel` (Stefan Hammer)
 * Fix timezone activation leaking into subsequent requests in `require_admin_access()` (Stefan Hammer)
 * Fix dialog component's message to have rounded corners at the top side (Sam)
+ * Prevent matches from unrelated models from leaking into SQLite FTS searches (Matt Westcott)
--- a/docs/releases/5.0.md
+++ b/docs/releases/5.0.md
@ -48,6 +48,7 @@ Support for adding custom validation logic to StreamField blocks has been formal
 * Fix timezone activation leaking into subsequent requests in `require_admin_access()` (Stefan Hammer)
 * Fix dialog component's message to have rounded corners at the top side (Sam)
 * When multiple documents are uploaded and then subsequently updated, ensure that existing success messages are cleared correctly (Aman Pandey)
+ * Prevent matches from unrelated models from leaking into SQLite FTS searches (Matt Westcott)

 ### Documentation

--- a/wagtail/search/backends/database/sqlite/sqlite.py
+++ b/wagtail/search/backends/database/sqlite/sqlite.py
@ -515,12 +515,18 @@ class SQLiteSearchQueryCompiler(BaseSearchQueryCompiler):
                vector, " ", False
            )  # We add the subsequent vectors to the combined vector.

-        expr = MatchExpression(
-            self.fields or ["title", "body"], search_query
-        )  # Build the FTS match expression.
-        objs = SQLiteFTSIndexEntry.objects.filter(expr).select_related(
-            "index_entry"
-        )  # Perform the FTS search. We'll get entries in the SQLiteFTSIndexEntry model.
+        # Build the FTS match expression.
+        expr = MatchExpression(self.fields or ["title", "body"], search_query)
+        # Perform the FTS search. We'll get entries in the SQLiteFTSIndexEntry model.
+        objs = (
+            SQLiteFTSIndexEntry.objects.filter(expr)
+            .select_related("index_entry")
+            .filter(
+                index_entry__content_type__in=get_descendants_content_types_pks(
+                    self.queryset.model
+                )
+            )
+        )

        if self.order_by_relevance:
            objs = objs.order_by(BM25().desc())
--- a/wagtail/search/tests/test_backends.py
+++ b/wagtail/search/tests/test_backends.py
@ -98,6 +98,13 @@ class BackendTests(WagtailTestUtils):
        results = self.backend.search(MATCH_NONE, models.Book)
        self.assertFalse(list(results))

+    def test_search_does_not_return_results_from_wrong_model(self):
+        # https://github.com/wagtail/wagtail/issues/10188 - if a term matches some other
+        # model to the one being searched, this match should not leak into the results
+        # (e.g. returning the object with the same ID)
+        results = self.backend.search("thrones", models.Author)
+        self.assertSetEqual(set(results), set())
+
    def test_ranking(self):
        # Note: also tests the "or" operator
        results = list(