Protect search page to be read from non-admin users

corres2math/urls.py

@@ -19,13 +19,15 @@ from django.views.defaults import bad_request, permission_denied, page_not_found
 from django.views.generic import TemplateView
 from registration.views import PhotoAuthorizationView
 
+from .views import AdminSearchView
+
 urlpatterns = [
     path('', TemplateView.as_view(template_name="index.html"), name='index'),
     path('i18n/', include('django.conf.urls.i18n')),
     path('admin/doc/', include('django.contrib.admindocs.urls')),
     path('admin/', admin.site.urls, name="admin"),
     path('accounts/', include('django.contrib.auth.urls')),
-    path('search/', include('haystack.urls')),
+    path('search/', AdminSearchView.as_view(), name="haystack_search"),
 
     path('api/', include('api.urls')),
     path('participation/', include('participation.urls')),

corres2math/views.py

@@ -0,0 +1,13 @@
+from django.contrib.auth.mixins import LoginRequiredMixin
+from django.core.exceptions import PermissionDenied
+from django.utils.translation import gettext_lazy as _
+from haystack.generic_views import SearchView
+
+
+class AdminSearchView(LoginRequiredMixin, SearchView):
+    def dispatch(self, request, *args, **kwargs):
+        if not request.user.is_authenticated:
+            return self.handle_no_permission()
+        if not request.user.registration.is_admin:
+            raise PermissionDenied(_("Only administrators are allowed to perform a full research."))
+        return super().dispatch(request, *args, **kwargs)