Security: Enforce mandatory API Keys for V3, fix search logic, and update frontend guide

2026-01-19 14:11:13 -05:00
parent d8b0c3b0a4
commit cad0d2e867
5 changed files with 325 additions and 43 deletions
--- a/app/lib_sql_search.py
+++ b/app/lib_sql_search.py
@@ -166,11 +166,23 @@ def sql_search_qry_part(
                    data[p_name] = query_node.query_string
                elif searchable_fields:
                    like_clauses = []
+                    # Fields to exclude from a generic text 'q' search (numeric, technical, or date fields)
+                    exclude_patterns = [
+                        'enable', 'hide', 'priority', 'sort', 'group', 
+                        'created_on', 'updated_on'
+                    ]
                    for field in searchable_fields:
-                        if not any(x in field for x in ['_id', 'enable', 'hide', 'priority', 'sort', 'group', 'created_on', 'updated_on']):
-                            f_p_name = get_param_name()
-                            like_clauses.append(f"`{field}` LIKE :{f_p_name}")
-                            data[f_p_name] = f"%{query_node.query_string}%"
+                        # Exclude exact internal integer IDs (ending in _id)
+                        if field.endswith('_id') or field == 'id':
+                            continue
+                        
+                        # Exclude other technical/meta fields
+                        if any(x == field for x in exclude_patterns):
+                            continue
+                            
+                        f_p_name = get_param_name()
+                        like_clauses.append(f"`{field}` LIKE :{f_p_name}")
+                        data[f_p_name] = f"%{query_node.query_string}%"
                    if like_clauses: clauses.append(f"({' OR '.join(like_clauses)})")
        for filter_attr in ['and_filters', 'or_filters']:
            if hasattr(query_node, filter_attr) and getattr(query_node, filter_attr):