From c15f07a1861e70f28d7ebcaf00b6e89d64d7acb9 Mon Sep 17 00:00:00 2001
From: TLSM <duolsm@outlook.com>
Date: Thu, 11 Aug 2022 03:50:07 -0400
Subject: [PATCH] Fix /blackjack/ not verifying user.

---
 files/routes/comments.py | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/files/routes/comments.py b/files/routes/comments.py
index 3d8f76615e..bc27365d56 100644
--- a/files/routes/comments.py
+++ b/files/routes/comments.py
@@ -923,11 +923,15 @@ def unsave_comment(cid, v):
 	return {"message": "Comment unsaved!"}
 
 @app.post("/blackjack/<cid>")
-@limiter.limit("1/second;30/minute;200/hour;1000/day")
-@limiter.limit("1/second;30/minute;200/hour;1000/day", key_func=lambda:f'{SITE}-{session.get("lo_user")}')
+@limiter.limit("1/second;30/minute;200/hour;2500/day")
+@limiter.limit("1/second;30/minute;200/hour;2500/day", key_func=lambda:f'{SITE}-{session.get("lo_user")}')
 @auth_required
 def handle_blackjack_action(cid, v):
 	comment = get_comment(cid)
+
+	if v.id != comment.author_id:
+		abort(403)
+
 	if 'active' in comment.blackjack_result:
 		try: action = request.values.get("thing").strip().lower()
 		except: abort(400)