From 6ed4616da99b25703489e7431d84d8749a7a167c Mon Sep 17 00:00:00 2001
From: Markus Heiser <markus.heiser@darmarit.de>
Date: Wed, 26 May 2021 19:43:27 +0200
Subject: [enh] add settings option to enable/disable search formats

Access to formats can be denied by settings configuration::

    search:
        formats: [html, csv, json, rss]

Closes: https://github.com/searxng/searxng/issues/95
Signed-off-by: Markus Heiser <markus.heiser@darmarit.de>
---
 searx/webapp.py | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

(limited to 'searx/webapp.py')

diff --git a/searx/webapp.py b/searx/webapp.py
index ad6ed368b..47f77acc7 100755
--- a/searx/webapp.py
+++ b/searx/webapp.py
@@ -31,6 +31,8 @@ from pygments.formatters import HtmlFormatter  # pylint: disable=no-name-in-modu
 from werkzeug.middleware.proxy_fix import ProxyFix
 from werkzeug.serving import WSGIRequestHandler
 
+import flask
+
 from flask import (
     Flask,
     request,
@@ -86,6 +88,7 @@ from searx.utils import (
     gen_useragent,
     dict_subset,
     match_language,
+    get_value,
 )
 from searx.version import VERSION_STRING
 from searx.query import RawTextQuery
@@ -161,6 +164,8 @@ for indice, theme in enumerate(themes):
     for (dirpath, dirnames, filenames) in os.walk(theme_img_path):
         global_favicons[indice].extend(filenames)
 
+OUTPUT_FORMATS = ['html', 'csv', 'json', 'rss']
+
 STATS_SORT_PARAMETERS = {
     'name': (False, 'name', ''),
     'score': (True, 'score', 0),
@@ -511,6 +516,11 @@ def render(template_name, override_theme=None, **kwargs):
 
     kwargs['preferences'] = request.preferences
 
+    kwargs['search_formats'] = [
+        x for x in get_value(
+            settings, 'search', 'formats', default=OUTPUT_FORMATS)
+        if x != 'html']
+
     kwargs['brand'] = brand
 
     kwargs['translations'] = json.dumps(get_translations(), separators=(',', ':'))
@@ -683,9 +693,12 @@ def search():
 
     # output_format
     output_format = request.form.get('format', 'html')
-    if output_format not in ['html', 'csv', 'json', 'rss']:
+    if output_format not in OUTPUT_FORMATS:
         output_format = 'html'
 
+    if output_format not in get_value(settings, 'search', 'formats', default=OUTPUT_FORMATS):
+        flask.abort(403)
+
     # check if there is query (not None and not an empty string)
     if not request.form.get('q'):
         if output_format == 'html':
-- 
cgit v1.2.3