# HG changeset patch
# User Marcin Kuzminski <marcin@rhodecode.com>
# Date 2017-10-12 19:37:23
# Node ID 23aaeb72bc9d63f3cc416e6a4aede87ae5ebbb22
# Parent  5bbfeee444fcce501c493683dd7e1d93ddaedd70

quick-filter: make sure we always apply IN filter query. Otherwise we can
end up iwth empty query which disables the ACL filter.

diff --git a/rhodecode/apps/home/views.py b/rhodecode/apps/home/views.py
--- a/rhodecode/apps/home/views.py
+++ b/rhodecode/apps/home/views.py
@@ -104,7 +104,7 @@ class HomeView(BaseAppView):
     def _get_repo_list(self, name_contains=None, repo_type=None, limit=20):
         allowed_ids = self._rhodecode_user.repo_acl_ids(
             ['repository.read', 'repository.write', 'repository.admin'],
-            cache=False, name_filter=name_contains)
+            cache=False, name_filter=name_contains) or [-1]
 
         query = Repository.query()\
             .order_by(func.length(Repository.repo_name))\
@@ -139,7 +139,7 @@ class HomeView(BaseAppView):
     def _get_repo_group_list(self, name_contains=None, limit=20):
         allowed_ids = self._rhodecode_user.repo_group_acl_ids(
             ['group.read', 'group.write', 'group.admin'],
-            cache=False, name_filter=name_contains)
+            cache=False, name_filter=name_contains) or [-1]
 
         query = RepoGroup.query()\
             .order_by(func.length(RepoGroup.group_name))\
diff --git a/rhodecode/model/db.py b/rhodecode/model/db.py
--- a/rhodecode/model/db.py
+++ b/rhodecode/model/db.py
@@ -122,6 +122,11 @@ def in_filter_generator(qry, items, limi
             *in_filter_generator(Repository.repo_id, range(100000))
         )).count()
     """
+    if not items:
+        # empty list will cause empty query which might cause security issues
+        # this can lead to hidden unpleasant results
+        items = [-1]
+
     parts = []
     for chunk in xrange(0, len(items), limit):
         parts.append(