From f392c6bb9c01cc28b4358ba8253002265c8b66ee Mon Sep 17 00:00:00 2001 From: Aevann Date: Thu, 14 Sep 2023 19:49:46 +0300 Subject: [PATCH] disallow permabanned-cels from all POST endpoints that require auth except /reply /contact /delete/post /delete/comment --- files/routes/awards.py | 2 +- files/routes/chat.py | 10 +++++----- files/routes/comments.py | 2 +- files/routes/groups.py | 2 +- files/routes/oauth.py | 4 ++-- files/routes/polls.py | 4 ++-- files/routes/posts.py | 2 +- files/routes/settings.py | 2 +- files/routes/subs.py | 42 ++++++++++++++++++++-------------------- files/routes/users.py | 6 +++--- files/routes/votes.py | 4 ++-- files/routes/wrappers.py | 13 ++----------- 12 files changed, 42 insertions(+), 51 deletions(-) diff --git a/files/routes/awards.py b/files/routes/awards.py index 8b10ddea3..d0037ecaa 100644 --- a/files/routes/awards.py +++ b/files/routes/awards.py @@ -138,7 +138,7 @@ def buy(v, award): @limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400) @limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400, key_func=get_ID) -@is_not_permabanned +@auth_required def award_thing(v, thing_type, id): kind = request.values.get("kind", "").strip() diff --git a/files/routes/chat.py b/files/routes/chat.py index d4ec03e10..b333b90b1 100644 --- a/files/routes/chat.py +++ b/files/routes/chat.py @@ -53,7 +53,7 @@ def is_not_banned_socketio(f): wrapper.__name__ = f.__name__ return wrapper -def is_not_permabanned_socketio(f): +def auth_required_socketio(f): def wrapper(*args, **kwargs): v = get_logged_in_user() if not v: return '', 401 @@ -67,7 +67,7 @@ CHAT_ERROR_MESSAGE = f"To prevent spam, you'll need {TRUESCORE_CC_CHAT_MINIMUM} @app.get("/chat") @limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400) @limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400, key_func=get_ID) -@is_not_permabanned +@auth_required def chat(v): if not v.allowed_in_chat: abort(403, CHAT_ERROR_MESSAGE) @@ -83,7 +83,7 @@ def chat(v): @app.get("/orgy") @limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400) @limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400, key_func=get_ID) -@is_not_permabanned +@auth_required def orgy(v): if not v.allowed_in_chat: abort(403, CHAT_ERROR_MESSAGE) @@ -208,7 +208,7 @@ def refresh_online(): cache.set(CHAT_ONLINE_CACHE_KEY, len(online[key]), timeout=0) @socketio.on('connect') -@is_not_permabanned_socketio +@auth_required_socketio def connect(v): if request.referrer not in ALLOWED_REFERRERS: return '', 400 @@ -231,7 +231,7 @@ def connect(v): return '', 204 @socketio.on('disconnect') -@is_not_permabanned_socketio +@auth_required_socketio def disconnect(v): if request.referrer not in ALLOWED_REFERRERS: return '', 400 diff --git a/files/routes/comments.py b/files/routes/comments.py index bf923a804..704cf8395 100644 --- a/files/routes/comments.py +++ b/files/routes/comments.py @@ -630,7 +630,7 @@ def toggle_comment_nsfw(cid, v): @limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DELETE_EDIT_RATELIMIT, deduct_when=lambda response: response.status_code < 400) @limiter.limit(DELETE_EDIT_RATELIMIT, deduct_when=lambda response: response.status_code < 400, key_func=get_ID) -@is_not_permabanned +@auth_required def edit_comment(cid, v): c = get_comment(cid, v=v) diff --git a/files/routes/groups.py b/files/routes/groups.py index ce610bbcb..6455370e3 100644 --- a/files/routes/groups.py +++ b/files/routes/groups.py @@ -20,7 +20,7 @@ def ping_groups(v): @limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400) @limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400, key_func=get_ID) -@is_not_permabanned +@auth_required def create_group(v): name = request.values.get('name') if not name: abort(400) diff --git a/files/routes/oauth.py b/files/routes/oauth.py index 421b281c5..a14710a34 100644 --- a/files/routes/oauth.py +++ b/files/routes/oauth.py @@ -55,7 +55,7 @@ def rescind(v, aid): @limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400) @limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400, key_func=get_ID) -@is_not_permabanned +@auth_required def request_api_keys(v): new_app = OauthApp( app_name=request.values.get('name').replace('<','').replace('>',''), @@ -123,7 +123,7 @@ def delete_oauth_app(v, aid): @limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400) @limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400, key_func=get_ID) -@is_not_permabanned +@auth_required def edit_oauth_app(v, aid): try: aid = int(aid) diff --git a/files/routes/polls.py b/files/routes/polls.py index 391d37dbc..40a82419a 100644 --- a/files/routes/polls.py +++ b/files/routes/polls.py @@ -10,7 +10,7 @@ from files.__main__ import app @limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400) @limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400, key_func=get_ID) -@is_not_permabanned +@auth_required def vote_option(option_id, v): try: option_id = int(option_id) @@ -62,7 +62,7 @@ def vote_option(option_id, v): @limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400) @limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400, key_func=get_ID) -@is_not_permabanned +@auth_required def vote_option_comment(option_id, v): try: option_id = int(option_id) diff --git a/files/routes/posts.py b/files/routes/posts.py index 85d08fb0b..e74a76827 100644 --- a/files/routes/posts.py +++ b/files/routes/posts.py @@ -978,7 +978,7 @@ def get_post_title(v): @limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DELETE_EDIT_RATELIMIT, deduct_when=lambda response: response.status_code < 400) @limiter.limit(DELETE_EDIT_RATELIMIT, deduct_when=lambda response: response.status_code < 400, key_func=get_ID) -@is_not_permabanned +@auth_required def edit_post(pid, v): p = get_post(pid) if not v.can_edit(p): abort(403) diff --git a/files/routes/settings.py b/files/routes/settings.py index 36cf0f9f0..04b22f768 100644 --- a/files/routes/settings.py +++ b/files/routes/settings.py @@ -720,7 +720,7 @@ def settings_advanced_get(v): @limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400) @limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400, key_func=get_ID) -@is_not_permabanned +@auth_required def settings_name_change(v): if SITE == 'rdrama.net' and v.id == 10489: abort(403) diff --git a/files/routes/subs.py b/files/routes/subs.py index 53360fc97..d4e5654c3 100644 --- a/files/routes/subs.py +++ b/files/routes/subs.py @@ -12,7 +12,7 @@ from files.__main__ import app, cache, limiter @limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400) @limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400, key_func=get_ID) -@is_not_permabanned +@auth_required def exile_post(v, pid): if v.shadowbanned: abort(500) p = get_post(pid) @@ -47,7 +47,7 @@ def exile_post(v, pid): @limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400) @limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400, key_func=get_ID) -@is_not_permabanned +@auth_required def exile_comment(v, cid): if v.shadowbanned: abort(500) c = get_comment(cid) @@ -82,7 +82,7 @@ def exile_comment(v, cid): @limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400) @limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400, key_func=get_ID) -@is_not_permabanned +@auth_required def unexile(v, sub, uid): u = get_account(uid) @@ -266,7 +266,7 @@ def sub_followers(v, sub): @limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit("30/day", deduct_when=lambda response: response.status_code < 400) @limiter.limit("30/day", deduct_when=lambda response: response.status_code < 400, key_func=get_ID) -@is_not_permabanned +@auth_required def add_mod(v, sub): if SITE_NAME == 'WPD': abort(403) sub = get_sub_by_name(sub).name @@ -306,7 +306,7 @@ def add_mod(v, sub): @limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400) @limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400, key_func=get_ID) -@is_not_permabanned +@auth_required def remove_mod(v, sub): sub = get_sub_by_name(sub).name @@ -347,7 +347,7 @@ def remove_mod(v, sub): @app.get("/create_hole") @limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400) @limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400, key_func=get_ID) -@is_not_permabanned +@auth_required def create_sub(v): if not v.can_create_hole: abort(403) @@ -359,7 +359,7 @@ def create_sub(v): @limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400) @limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400, key_func=get_ID) -@is_not_permabanned +@auth_required def create_sub2(v): if not v.can_create_hole: abort(403) @@ -399,7 +399,7 @@ def create_sub2(v): @limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400) @limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400, key_func=get_ID) -@is_not_permabanned +@auth_required def kick(v, pid): post = get_post(pid) @@ -432,7 +432,7 @@ def kick(v, pid): @app.get('/h//settings') @limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400) @limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400, key_func=get_ID) -@is_not_permabanned +@auth_required def sub_settings(v, sub): sub = get_sub_by_name(sub) if not v.mods(sub.name): abort(403) @@ -444,7 +444,7 @@ def sub_settings(v, sub): @limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400) @limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400, key_func=get_ID) -@is_not_permabanned +@auth_required def post_sub_sidebar(v, sub): sub = get_sub_by_name(sub) if not v.mods(sub.name): abort(403) @@ -474,7 +474,7 @@ def post_sub_sidebar(v, sub): @limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400) @limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400, key_func=get_ID) -@is_not_permabanned +@auth_required def post_sub_css(v, sub): sub = get_sub_by_name(sub) css = request.values.get('css', '').strip() @@ -516,7 +516,7 @@ def get_sub_css(sub): @limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit("50/day", deduct_when=lambda response: response.status_code < 400) @limiter.limit("50/day", deduct_when=lambda response: response.status_code < 400, key_func=get_ID) -@is_not_permabanned +@auth_required def upload_sub_banner(v, sub): if g.is_tor: abort(403, "Image uploads are not allowed through Tor") @@ -546,7 +546,7 @@ def upload_sub_banner(v, sub): @app.post("/h//settings/banners/delete/") @limiter.limit("1/second;30/day", deduct_when=lambda response: response.status_code < 400) @limiter.limit("1/second;30/day", deduct_when=lambda response: response.status_code < 400, key_func=get_ID) -@is_not_permabanned +@auth_required def delete_sub_banner(v, sub, index): sub = get_sub_by_name(sub) if not v.mods(sub.name): abort(403) @@ -577,7 +577,7 @@ def delete_sub_banner(v, sub, index): @app.post("/h//settings/banners/delete_all") @limiter.limit("1/10 second;30/day", deduct_when=lambda response: response.status_code < 400) @limiter.limit("1/10 second;30/day", deduct_when=lambda response: response.status_code < 400, key_func=get_ID) -@is_not_permabanned +@auth_required def delete_all_sub_banners(v, sub): sub = get_sub_by_name(sub) if not v.mods(sub.name): abort(403) @@ -605,7 +605,7 @@ def delete_all_sub_banners(v, sub): @limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit("10/day", deduct_when=lambda response: response.status_code < 400) @limiter.limit("10/day", deduct_when=lambda response: response.status_code < 400, key_func=get_ID) -@is_not_permabanned +@auth_required def sub_sidebar(v, sub): if g.is_tor: abort(403, "Image uploads are not allowed through TOR!") @@ -638,7 +638,7 @@ def sub_sidebar(v, sub): @limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit("10/day", deduct_when=lambda response: response.status_code < 400) @limiter.limit("10/day", deduct_when=lambda response: response.status_code < 400, key_func=get_ID) -@is_not_permabanned +@auth_required def sub_marsey(v, sub): if g.is_tor: abort(403, "Image uploads are not allowed through TOR!") @@ -681,7 +681,7 @@ def subs(v): @limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400) @limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400, key_func=get_ID) -@is_not_permabanned +@auth_required def hole_pin(v, pid): p = get_post(pid) @@ -717,7 +717,7 @@ def hole_pin(v, pid): @limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400) @limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400, key_func=get_ID) -@is_not_permabanned +@auth_required def hole_unpin(v, pid): p = get_post(pid) @@ -750,7 +750,7 @@ def hole_unpin(v, pid): @limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400) @limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400, key_func=get_ID) -@is_not_permabanned +@auth_required def sub_stealth(v, sub): sub = get_sub_by_name(sub) if sub.name in {'braincels','smuggies','mnn'} and v.admin_level < PERMS["MODS_EVERY_HOLE"]: @@ -786,7 +786,7 @@ def sub_stealth(v, sub): @limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400) @limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400, key_func=get_ID) -@is_not_permabanned +@auth_required def pin_comment_mod(cid, v): comment = get_comment(cid, v=v) @@ -817,7 +817,7 @@ def pin_comment_mod(cid, v): @limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400) @limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400, key_func=get_ID) -@is_not_permabanned +@auth_required def unpin_comment_mod(cid, v): comment = get_comment(cid, v=v) diff --git a/files/routes/users.py b/files/routes/users.py index eba5b7877..91361976b 100644 --- a/files/routes/users.py +++ b/files/routes/users.py @@ -467,7 +467,7 @@ def get_coins(v, username): @limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400) @limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400, key_func=get_ID) -@is_not_permabanned +@auth_required def transfer_coins(v, username): return transfer_currency(v, username, 'coins', True) @@ -477,7 +477,7 @@ def transfer_coins(v, username): @limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400) @limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400, key_func=get_ID) -@is_not_permabanned +@auth_required def transfer_bux(v, username): return transfer_currency(v, username, 'marseybux', False) @@ -613,7 +613,7 @@ def unsubscribe(v, post_id): @limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit("10/minute;20/hour;50/day", deduct_when=lambda response: response.status_code < 400) @limiter.limit("10/minute;20/hour;50/day", deduct_when=lambda response: response.status_code < 400, key_func=get_ID) -@is_not_permabanned +@auth_required def message2(v, username=None, id=None): if id: user = get_account(id, v=v, include_blocks=True) diff --git a/files/routes/votes.py b/files/routes/votes.py index 30214740a..96b008c52 100644 --- a/files/routes/votes.py +++ b/files/routes/votes.py @@ -224,7 +224,7 @@ def vote_info_get(v, link): @limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit("60/minute;1000/hour;2000/day", deduct_when=lambda response: response.status_code < 400) @limiter.limit("60/minute;1000/hour;2000/day", deduct_when=lambda response: response.status_code < 400, key_func=get_ID) -@is_not_permabanned +@auth_required def vote_post(post_id, new, v): return vote_post_comment(post_id, new, v, Post, Vote) @@ -233,6 +233,6 @@ def vote_post(post_id, new, v): @limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit("60/minute;1000/hour;2000/day", deduct_when=lambda response: response.status_code < 400) @limiter.limit("60/minute;1000/hour;2000/day", deduct_when=lambda response: response.status_code < 400, key_func=get_ID) -@is_not_permabanned +@auth_required def vote_comment(comment_id, new, v): return vote_post_comment(comment_id, new, v, Comment, CommentVote) diff --git a/files/routes/wrappers.py b/files/routes/wrappers.py index 917aa573f..41aa79db1 100644 --- a/files/routes/wrappers.py +++ b/files/routes/wrappers.py @@ -139,6 +139,8 @@ def auth_required(f): v = get_logged_in_user() if not v: abort(401, "You need to login to perform this action!") + if v.is_permabanned and request.method == "POST" and request.path not in {'/contact','/reply'} and not request.path.startswith('/delete/'): + abort(403, "You can't perform this action while permabanned!") return make_response(f(*args, v=v, **kwargs)) wrapper.__name__ = f.__name__ return wrapper @@ -154,17 +156,6 @@ def is_not_banned(f): wrapper.__name__ = f.__name__ return wrapper -def is_not_permabanned(f): - def wrapper(*args, **kwargs): - v = get_logged_in_user() - if not v: - abort(401, "You need to login to perform this action!") - if v.is_permabanned: - abort(403, "You can't perform this action while permabanned!") - return make_response(f(*args, v=v, **kwargs)) - wrapper.__name__ = f.__name__ - return wrapper - def admin_level_required(x): def wrapper_maker(f): def wrapper(*args, **kwargs):