Verify admin level before editing others' posts.

Yes, it has been possible for any user to edit any post on the site, their own or otherwise. Only have to generate the POST /edit_post/ manually: an example exploit was created and tested successfully prior to patching. However, abuse of this vulnerability would have generated edit_post modlog entries, the lack of which on prod suggest it was not abused that we know of -- Lord knows how.
2022-08-11 20:12:35 -04:00 · 2022-08-11 20:12:35 -04:00 · 12d7cfaa6c
parent d392a213d5
commit 12d7cfaa6c
1 changed files with 3 additions and 0 deletions
--- a/files/routes/posts.py
+++ b/files/routes/posts.py
@ -396,6 +396,9 @@ def edit_post(pid, v):

 	body = body.replace('\r\n', '\n')[:20000]

+	if v.id != p.author_id and v.admin_level < 2:
+		abort(403)
+
 	if v.id == p.author_id:
 		if v.longpost and (len(body) < 280 or ' [](' in body or body.startswith('[](')):
 			return {"error":"You have to type more than 280 characters!"}, 403