Require authentication for the /search page.

Release notes

Require authentication for the /search page when "Restricted visibility levels" is Public.

Problem to solve

The /search page currently does not require authentication when "Restricted visibility levels" is Public. Instead of redirecting to a login page, non-authenticated users can view the page. They cannot actually perform a search, but they do see active banner messages (which could unintentionally leak confidential information depending on what was in the message).

We had hoped that the allow_anonymous_searches feature flag from #434219 (closed) would have been a good solution, but there are two concerns with that:

1. We prefer not to implement "feature flag" enabled features in production. Instead, we would like for that to be available in the UI. Someone else already opened a proposal for that here #495827

2. While the new allow_anonymous_searches flag does result in showing a "You must be logged in to search" message rather than an empty search results page, it still displays any active banner messages as well as the contents of the "Sign in/Sign up pages" (from Admin Area => Settings => Appearance).

Proposal

Implement a solution similar to what was previously done for /explore, /help, and /public in:

• !22522 (merged)
• #18165 (closed)

In those solutions, if an unauthenticated user attempts to go to any of the /explore, /help, and /public pages, they get redirected to the desired SSO login page. In our opinion /search should do the same thing instead of displaying our custom messages and banner messages (which could potentially contain information that is not intended for unauthenticated users and may provide information about the site which could then be used for social engineering attacks).

Intended users

Unknown

Feature Usage Metrics

Unknown

Does this feature require an audit event?

Unknown