From 5d2f4d203b16c655ef1921fc1dd300dafc24f4ae Mon Sep 17 00:00:00 2001 From: justcool393 Date: Sun, 30 Oct 2022 02:31:21 -0500 Subject: [PATCH] users: add is_visible_to function for checking user visibility to a certain other user --- files/classes/user.py | 7 ++++++- files/routes/search.py | 4 ++-- files/routes/users.py | 10 +++++----- 3 files changed, 13 insertions(+), 8 deletions(-) diff --git a/files/classes/user.py b/files/classes/user.py index 35a4667b8..fa79cb23b 100644 --- a/files/classes/user.py +++ b/files/classes/user.py @@ -743,6 +743,12 @@ class User(Base): def has_follower(self, user): if not user or self.id == user.id: return False # users can't follow themselves return g.db.query(Follow).filter_by(target_id=self.id, user_id=user.id).one_or_none() + + @lazy + def is_visible_to(self, user) -> bool: + if not self.is_private: return True + if self.id == user.id: return True + return user.admin_level >= PERMS['VIEW_PRIVATE_PROFILES'] or user.eye @property @lazy @@ -972,7 +978,6 @@ class User(Base): def can_see_shadowbanned(self): return (self.admin_level >= PERMS['USER_SHADOWBAN']) or self.shadowbanned - @property @lazy def unmutable(self): diff --git a/files/routes/search.py b/files/routes/search.py index 0aa3b6dd5..d1e808260 100644 --- a/files/routes/search.py +++ b/files/routes/search.py @@ -70,7 +70,7 @@ def searchposts(v): if 'author' in criteria: posts = posts.filter(Submission.ghost == False) author = get_user(criteria['author'], v=v, include_shadowbanned=False) - if author.is_private and author.id != v.id and v.admin_level < PERMS['VIEW_PRIVATE_PROFILES'] and not v.eye: + if not author.is_visible_to(v): if v.client: abort(403, f"@{author.username}'s profile is private; You can't use the 'author' syntax on them") return render_template("search.html", @@ -195,7 +195,7 @@ def searchcomments(v): if 'author' in criteria: comments = comments.filter(Comment.ghost == False) author = get_user(criteria['author'], v=v, include_shadowbanned=False) - if author.is_private and author.id != v.id and v.admin_level < PERMS['VIEW_PRIVATE_PROFILES'] and not v.eye: + if not author.is_visible_to(v): if v.client: abort(403, f"@{author.username}'s profile is private; You can't use the 'author' syntax on them") diff --git a/files/routes/users.py b/files/routes/users.py index 9c82e205b..0f8cc968d 100644 --- a/files/routes/users.py +++ b/files/routes/users.py @@ -26,7 +26,7 @@ from .login import check_for_alts def upvoters_downvoters(v, username, uid, cls, vote_cls, vote_dir, template, standalone): u = get_user(username, v=v, include_shadowbanned=False) - if u.is_private and (not v or (v.id != u.id and v.admin_level < PERMS['VIEW_PRIVATE_PROFILES'] and not v.eye)): abort(403) + if not u.is_visible_to(v): abort(403) if not (v.id == u.id or v.admin_level >= PERMS['USER_VOTERS_VISIBLE']): abort(403) id = u.id try: @@ -76,7 +76,7 @@ def downvoters_comments(v, username, uid): def upvoting_downvoting(v, username, uid, cls, vote_cls, vote_dir, template, standalone): u = get_user(username, v=v, include_shadowbanned=False) - if u.is_private and (not v or (v.id != u.id and v.admin_level < PERMS['VIEW_PRIVATE_PROFILES'] and not v.eye)): abort(403) + if not u.is_visible_to(v): abort(403) if not (v.id == u.id or v.admin_level >= PERMS['USER_VOTERS_VISIBLE']): abort(403) id = u.id try: @@ -126,7 +126,7 @@ def downvoting_comments(v, username, uid): def user_voted(v, username, cls, vote_cls, vote_dir, template, standalone): u = get_user(username, v=v, include_shadowbanned=False) - if u.is_private and (not v or (v.id != u.id and v.admin_level < PERMS['VIEW_PRIVATE_PROFILES'] and not v.eye)): abort(403) + if not u.is_visible_to(v): abort(403) if not (v.id == u.id or v.admin_level >= PERMS['USER_VOTERS_VISIBLE']): abort(403) page = max(1, int(request.values.get("page", 1))) @@ -659,7 +659,7 @@ def u_username(username, v=None): g.db.commit() - if u.is_private and (not v or (v.id != u.id and v.admin_level < PERMS['VIEW_PRIVATE_PROFILES'] and not v.eye)): + if not u.is_visible_to(v): if g.is_api_or_xhr or request.path.endswith(".json"): abort(403, "This userpage is private") @@ -739,7 +739,7 @@ def u_username_comments(username, v=None): u = user - if u.is_private and (not v or (v.id != u.id and v.admin_level < PERMS['VIEW_PRIVATE_PROFILES'] and not v.eye)): + if not u.is_visible_to(v): if g.is_api_or_xhr or request.path.endswith(".json"): abort(403, "This userpage is private") return render_template("userpage_private.html", u=u, v=v)