Hooks from: & to: syntax in yml to disable anonymous searches

opcourdis · June 19, 2025, 9:19pm

Hi, I would like to rebuild the app including some modification to a file in order to disable the search feature for anonymous users.(more than with just css)

Can anyone provide me some documentation for the syntax of those hooks for the from: & to: part?

    - replace:
        filename: "/var/www/discourse/app/assets/javascripts/discourse/app/components/search-menu.js"
        from: /get classNames()/
        to: |
          if (!this.currentUser) {return false;} get classNames()

Discourse accepts the syntax now but at the end of the rebuild it fails with

 Error: Parse Error at discourse/components/search-menu.gjs:88:7"

replace failed with the params {"filename"=>"/var/www/discourse/app/assets/javascripts/discourse/app/components/search-menu.gjs", "from"=>"/get classNames()/", "to"=>"if (!this.currentUser) {return false;} get classNames()\n"}

Falco · June 21, 2025, 2:05am

There is a hidden site setting to accomplish that:

rate_limit_search_anon_global_per_minute

Michael12 · June 21, 2025, 2:11am

Thanks for pointing that out. Just to clarify, what’s the name of the hidden site setting? And does it fully disable search for anonymous users, or just hide the results? I’m looking for a way to block access at the controller level, so wondering if that setting alone is enough or if some custom code is still needed.

opcourdis · June 21, 2025, 9:57am

Thanks for providing with the variable, with this documentation I could make it work.

So I modified the app.yml with the following, saved, then ./launcher restart app(no rebuild needed)

env:
  DISCOURSE_RATE_LIMIT_SEARCH_ANON_GLOBAL_PER_MINUTE: 0

Now the /search page is unreachable = great
Now the front end search button instantly returns : you’ve performed this action too many times = great
You may hide the search button with :

.anon #search-button {
	display: none !important;
}

But the question is : is this thorough? Can anyone just create a simple session cookie to make it look like they are connected so that they can access the content of the site through searches?

More thorough but uncomplete solution :

The file is : /var/www/discourse/app/controllers/search_controller.rb
The modification : add “if current_user.present?” after “def show” and add an “end” at the bottom of the condition.

However I could not make it persistent after restart, so anybody is welcome to tell how to make it persistent after restart with the app.yml hooks after_code replace: feature.

Falco · June 21, 2025, 4:05pm

As in log in to do searches?

On the OP you specified that you want to

And this is what this setting does.

Of course it won’t affect uses who are logged in.

opcourdis · June 21, 2025, 5:04pm

I mean non logged in user that would create a session cookie to pretend they are logged in but maybe I am fetching a bit too far here as I guess that the currentUser function checks the session key.

Falco · June 21, 2025, 9:53pm

That would be a security issue. If you can achieve that make sure to report to HackerOne

opcourdis · June 21, 2025, 10:04pm

" That would be a security issue. If you can achieve that make sure to report to HackerOne"

No, I am new to discourse, I cannot even quote properly , I was just asking, maybe there was some discourse engineer around ; anyway, we got our solution to this thread thanks to you Falco

Topic		Replies	Views
Filter known-bad sender domains from your mail-receiver Sysadmins how-to	8	3119	April 13, 2020
OS Plugin Proposal: A Navigable "Graph" or "Network" view of links between Topics Feature	2	829	September 22, 2024
Integrate OAuth with an invite only flow Dev	4	1755	October 8, 2018
Do not show deleted post history any more to regular users Feature	7	1477	September 17, 2021
Spoiler on images doesn't effectively protect NSFW images Feature	11	4248	May 24, 2022

Hooks from: & to: syntax in yml to disable anonymous searches

Related topics