Merge branch 'master' into mistletoe

2021-12-09 16:41:02 -06:00 · 2021-12-09 16:41:02 -06:00 · 0044f6ff9b
parent 7eda5d5b60 5d5af18d22
commit 0044f6ff9b
14 changed files with 56 additions and 13 deletions
--- a/files/mail/init.py
+++ b/files/mail/init.py
@ -43,6 +43,7 @@ def send_verification_email(user, email=None):
@app.post("/verify_email")
@limiter.limit("1/second")
@auth_required
+@validate_formkey
 def api_verify_email(v):

 	send_verification_email(v)
--- a/files/routes/admin.py
+++ b/files/routes/admin.py
@ -36,6 +36,7 @@ def truescore(v):
@app.post("/@<username>/revert_actions")
@limiter.limit("1/second")
@admin_level_required(2)
+@validate_formkey
 def revert_actions(v, username):
 	if 'pcm' in request.host or (SITE_NAME == 'Drama' and v.admin_level > 2) or ('rama' not in request.host and 'pcm' not in request.host):
 		user = get_user(username)
@ -61,6 +62,7 @@ def revert_actions(v, username):
@app.post("/@<username>/club_allow")
@limiter.limit("1/second")
@admin_level_required(2)
+@validate_formkey
 def club_allow(v, username):

 	u = get_user(username, v=v)
@ -84,6 +86,7 @@ def club_allow(v, username):
@app.post("/@<username>/club_ban")
@limiter.limit("1/second")
@admin_level_required(2)
+@validate_formkey
 def club_ban(v, username):

 	u = get_user(username, v=v)
@ -107,6 +110,7 @@ def club_ban(v, username):
@app.post("/@<username>/make_admin")
@limiter.limit("1/second")
@admin_level_required(2)
+@validate_formkey
 def make_admin(v, username):
 	if 'pcm' in request.host or (SITE_NAME == 'Drama' and v.admin_level > 2) or ('rama' not in request.host and 'pcm' not in request.host):
 		user = get_user(username)
@ -120,6 +124,7 @@ def make_admin(v, username):
@app.post("/@<username>/remove_admin")
@limiter.limit("1/second")
@admin_level_required(2)
+@validate_formkey
 def remove_admin(v, username):
 	if 'pcm' in request.host or (SITE_NAME == 'Drama' and v.admin_level > 2) or ('rama' not in request.host and 'pcm' not in request.host):
 		user = get_user(username)
@ -133,6 +138,7 @@ def remove_admin(v, username):
@app.post("/@<username>/make_meme_admin")
@limiter.limit("1/second")
@admin_level_required(2)
+@validate_formkey
 def make_meme_admin(v, username):
 	if 'pcm' in request.host or (SITE_NAME == 'Drama' and v.admin_level > 2) or ('rama' not in request.host and 'pcm' not in request.host):
 		user = get_user(username)
@ -146,6 +152,7 @@ def make_meme_admin(v, username):
@app.post("/@<username>/remove_meme_admin")
@limiter.limit("1/second")
@admin_level_required(2)
+@validate_formkey
 def remove_meme_admin(v, username):
 	if 'pcm' in request.host or (SITE_NAME == 'Drama' and v.admin_level > 2) or ('rama' not in request.host and 'pcm' not in request.host):
 		user = get_user(username)
@ -159,6 +166,7 @@ def remove_meme_admin(v, username):
@app.post("/admin/monthly")
@limiter.limit("1/day")
@admin_level_required(2)
+@validate_formkey
 def monthly(v):
 	if 'pcm' in request.host or (SITE_NAME == 'Drama' and v.admin_level > 2) or ('rama' not in request.host and 'pcm' not in request.host):
 		thing = g.db.query(AwardRelationship).order_by(AwardRelationship.id.desc()).first().id
@ -930,6 +938,7 @@ def api_distinguish_post(post_id, v):

@app.post("/sticky/<post_id>")
@admin_level_required(2)
+@validate_formkey
 def api_sticky_post(post_id, v):

 	post = g.db.query(Submission).filter_by(id=post_id).first()
@ -965,6 +974,7 @@ def api_sticky_post(post_id, v):
@app.post("/ban_comment/<c_id>")
@limiter.limit("1/second")
@admin_level_required(1)
+@validate_formkey
 def api_ban_comment(c_id, v):

 	comment = g.db.query(Comment).filter_by(id=c_id).first()
@ -989,6 +999,7 @@ def api_ban_comment(c_id, v):
@app.post("/unban_comment/<c_id>")
@limiter.limit("1/second")
@admin_level_required(1)
+@validate_formkey
 def api_unban_comment(c_id, v):

 	comment = g.db.query(Comment).filter_by(id=c_id).first()
@ -1013,6 +1024,7 @@ def api_unban_comment(c_id, v):

@app.post("/distinguish_comment/<c_id>")
@admin_level_required(1)
+@validate_formkey
 def admin_distinguish_comment(c_id, v):
 	
 	
--- a/files/routes/awards.py
+++ b/files/routes/awards.py
@ -270,6 +270,7 @@ def shop(v):

@app.post("/buy/<award>")
@auth_required
+@validate_formkey
 def buy(v, award):
 	AWARDS = {
 		"shit": {
@ -514,6 +515,7 @@ def buy(v, award):
@app.post("/post/<pid>/awards")
@limiter.limit("1/second")
@auth_required
+@validate_formkey
 def award_post(pid, v):

 	if v.shadowbanned: return render_template('errors/500.html', v=v), 500
@ -671,6 +673,7 @@ def award_post(pid, v):
@app.post("/comment/<cid>/awards")
@limiter.limit("1/second")
@auth_required
+@validate_formkey
 def award_comment(cid, v):

 	if v.shadowbanned: return render_template('errors/500.html', v=v), 500
--- a/files/routes/front.py
+++ b/files/routes/front.py
@ -13,6 +13,7 @@ def slash_post():

@app.post("/clear")
@auth_required
+@validate_formkey
 def clear(v):
 	for n in v.notifications.filter_by(read=False).all():
 		n.read = True
@ -210,7 +211,8 @@ def frontlist(v=None, sort="hot", page=1, t="all", ids_only=True, filter_words='
 		posts = posts.filter(Submission.created_utc >= cutoff)
 	else: cutoff = 0

-	posts = posts.filter_by(is_banned=False, stickied=None, private=False, deleted_utc = 0)
+	if sort == "new": posts = posts.filter_by(is_banned=False, private=False, deleted_utc = 0)
+	else: posts = posts.filter_by(is_banned=False, stickied=None, private=False, deleted_utc = 0)

 	if v and v.admin_level == 0:
 		blocking = [x[0] for x in g.db.query(
@ -263,13 +265,14 @@ def frontlist(v=None, sort="hot", page=1, t="all", ids_only=True, filter_words='

 	posts = posts[:size]

-	pins = g.db.query(Submission).filter(Submission.stickied != None, Submission.is_banned == False)
-	if v and v.admin_level == 0:
-		blocking = [x[0] for x in g.db.query(UserBlock.target_id).filter_by(user_id=v.id).all()]
-		blocked = [x[0] for x in g.db.query(UserBlock.user_id).filter_by(target_id=v.id).all()]
-		pins = pins.filter(Submission.author_id.notin_(blocking), Submission.author_id.notin_(blocked))
+	if sort != "new":
+		pins = g.db.query(Submission).filter(Submission.stickied != None, Submission.is_banned == False)
+		if v and v.admin_level == 0:
+			blocking = [x[0] for x in g.db.query(UserBlock.target_id).filter_by(user_id=v.id).all()]
+			blocked = [x[0] for x in g.db.query(UserBlock.user_id).filter_by(target_id=v.id).all()]
+			pins = pins.filter(Submission.author_id.notin_(blocking), Submission.author_id.notin_(blocked))

-	if page == 1 and not gt and not lt: posts = pins.all() + posts
+	if sort != "new" and page == 1 and not gt and not lt: posts = pins.all() + posts

 	if ids_only: posts = [x.id for x in posts]

--- a/files/routes/oauth.py
+++ b/files/routes/oauth.py
@ -38,6 +38,7 @@ def authorize(v):
@app.post("/api_keys")
@limiter.limit("1/second")
@is_not_banned
+@validate_formkey
 def request_api_keys(v):

 	new_app = OauthApp(
@ -253,6 +254,7 @@ def admin_apps_list(v):
@app.post("/oauth/reroll/<aid>")
@limiter.limit("1/second")
@auth_required
+@validate_formkey
 def reroll_oauth_tokens(aid, v):

 	aid = aid
--- a/files/routes/reporting.py
+++ b/files/routes/reporting.py
@ -8,6 +8,7 @@ from files.helpers.sanitize import filter_emojis_only
@app.post("/report/post/<pid>")
@limiter.limit("1/second")
@auth_required
+@validate_formkey
 def api_flag_post(pid, v):

 	post = get_post(pid)
@ -38,6 +39,7 @@ def api_flag_post(pid, v):
@app.post("/report/comment/<cid>")
@limiter.limit("1/second")
@auth_required
+@validate_formkey
 def api_flag_comment(cid, v):

 	comment = get_comment(cid)
--- a/files/routes/settings.py
+++ b/files/routes/settings.py
@ -34,6 +34,7 @@ tiers={
@app.post("/settings/removebackground")
@limiter.limit("1/second")
@auth_required
+@validate_formkey
 def removebackground(v):
 	v.background = None
 	g.db.add(v)
@ -439,6 +440,7 @@ def settings_profile_post(v):

@app.post("/settings/filters")
@auth_required
+@validate_formkey
 def filters(v):
 	filters=request.values.get("filters")[:1000].strip()

@ -810,6 +812,7 @@ def settings_css_get(v):
@app.post("/settings/css")
@limiter.limit("1/second")
@auth_required
+@validate_formkey
 def settings_css(v):
 	css = request.values.get("css").strip().replace('\\', '').strip()[:4000]

@ -826,14 +829,15 @@ def settings_css(v):
@auth_required
 def settings_profilecss_get(v):

-	if v.truecoins < 1000 and not v.patron and v.admin_level == 0 : return f"You must have +1000 {COINS_NAME} or be a patron to set profile css."
+	if v.truecoins < 1000 and not v.patron and v.admin_level == 0 : return f"You must have +1000 {COINS_NAME} or be a paypig to set profile css."
 	return render_template("settings_profilecss.html", v=v)

@app.post("/settings/profilecss")
@limiter.limit("1/second")
@auth_required
+@validate_formkey
 def settings_profilecss(v):
-	if v.truecoins < 1000 and not v.patron: return f"You must have +1000 {COINS_NAME} or be a patron to set profile css."
+	if v.truecoins < 1000 and not v.patron: return f"You must have +1000 {COINS_NAME} or be a paypig to set profile css."
 	profilecss = request.values.get("profilecss").strip().replace('\\', '').strip()[:4000]
 	v.profilecss = profilecss
 	g.db.add(v)
--- a/files/routes/static.py
+++ b/files/routes/static.py
@ -230,6 +230,7 @@ def contact(v):
@app.post("/contact")
@limiter.limit("1/second")
@auth_required
+@validate_formkey
 def submit_contact(v):
 	message = f'This message has been sent automatically to all admins via https://{site}/contact, user email is "{v.email}"\n\nMessage:\n\n' + request.values.get("message", "")
 	send_admin(v.id, message)
--- a/files/routes/users.py
+++ b/files/routes/users.py
@ -97,6 +97,7 @@ def downvoting(v, username):
@app.post("/pay_rent")
@limiter.limit("1/second")
@auth_required
+@validate_formkey
 def pay_rent(v):
 	if v.coins < 500: return "You must have more than 500 coins."
 	v.coins -= 500
@ -113,6 +114,7 @@ def pay_rent(v):
@app.post("/steal")
@limiter.limit("1/second")
@is_not_banned
+@validate_formkey
 def steal(v):
 	if int(time.time()) - v.created_utc < 604800:
 		return "You must have an account older than 1 week in order to attempt stealing."
@ -167,6 +169,7 @@ def thiefs(v):
@app.post("/@<username>/suicide")
@limiter.limit("1/second")
@auth_required
+@validate_formkey
 def suicide(v, username):
 	t = int(time.time())
 	if v.admin_level == 0 and t - v.suicide_utc < 86400: return {"message": "You're on 1-day cooldown!"}
@ -312,6 +315,7 @@ def song(song):
@app.post("/subscribe/<post_id>")
@limiter.limit("1/second")
@auth_required
+@validate_formkey
 def subscribe(v, post_id):
 	new_sub = Subscription(user_id=v.id, submission_id=post_id)
 	g.db.add(new_sub)
@ -321,6 +325,7 @@ def subscribe(v, post_id):
@app.post("/unsubscribe/<post_id>")
@limiter.limit("1/second")
@auth_required
+@validate_formkey
 def unsubscribe(v, post_id):
 	sub=g.db.query(Subscription).filter_by(user_id=v.id, submission_id=post_id).first()
 	if sub:
@ -337,6 +342,7 @@ def reportbugs(v):
@limiter.limit("1/second")
@limiter.limit("10/hour")
@auth_required
+@validate_formkey
 def message2(v, username):

 	user = get_user(username, v=v)
@ -400,6 +406,7 @@ def message2(v, username):
@limiter.limit("1/second")
@limiter.limit("6/minute")
@auth_required
+@validate_formkey
 def messagereply(v):

 	message = request.values.get("body", "").strip()[:1000].strip()
@ -727,6 +734,7 @@ def u_username_info(username, v=None):
@app.post("/follow/<username>")
@limiter.limit("1/second")
@auth_required
+@validate_formkey
 def follow_user(username, v):

 	target = get_user(username)
@ -752,6 +760,7 @@ def follow_user(username, v):
@app.post("/unfollow/<username>")
@limiter.limit("1/second")
@auth_required
+@validate_formkey
 def unfollow_user(username, v):

 	target = get_user(username)
@ -778,6 +787,7 @@ def unfollow_user(username, v):
@app.post("/remove_follow/<username>")
@limiter.limit("1/second")
@auth_required
+@validate_formkey
 def remove_follow(username, v):
 	target = get_user(username)

@ -869,6 +879,7 @@ def saved_comments(v, username):

@app.post("/fp/<fp>")
@auth_required
+@validate_formkey
 def fp(v, fp):
 	if v.username != fp:
 		v.fp = fp
--- a/files/routes/votes.py
+++ b/files/routes/votes.py
@ -196,6 +196,7 @@ def api_vote_comment(comment_id, new, v):

@app.post("/vote/poll/<comment_id>")
@auth_required
+@validate_formkey
 def api_vote_poll(comment_id, v):
 	
 	vote = request.values.get("vote")
--- a/files/templates/changelog.html
+++ b/files/templates/changelog.html
@ -102,6 +102,6 @@
 </nav>
 {% endif %}

-<script src="/assets/js/changelog.js?v=54"></script>
+<script src="/assets/js/changelog.js?v=55"></script>

 {% endblock %}
--- a/files/templates/header.html
+++ b/files/templates/header.html
@ -213,7 +213,7 @@
 	</div>
 </nav>

-<script src="/assets/js/header.js?v=54"></script>
+<script src="/assets/js/header.js?v=56"></script>

 <style>
 	.notif-count {
--- a/files/templates/settings_blocks.html
+++ b/files/templates/settings_blocks.html
@ -4,7 +4,7 @@

 {% block content %}

-<script src="/assets/js/settings_block.js?v=2"></script>
+<script src="/assets/js/settings_blocks.js?v=2"></script>

 <div class="row">

@ -121,4 +121,8 @@
 	</div>
 </div>

+{% if v %}
+	<div id="formkey" class="d-none">{{v.formkey}}</div>
+{% endif %}
+
 {% endblock %}
--- a/files/templates/userpage_private.html
+++ b/files/templates/userpage_private.html
@ -31,5 +31,4 @@
 {% endblock %}

 {% block pagenav %}
-<script src="/assets/js/userpage.js?v=72"></script>
 {% endblock %}