forked from MarseyWorld/MarseyWorld
Close more shadowbanned user info leaks.
1. Missed the notif for unfollowing a non-fish'd user in fb52003404
.
2. "Get Them Help" button showed username.
3. Gift coins/mbux showed username and allowed a message.
4. Global block list showed username.
5. User profile appeared to logged-out and non-jannies.
master
parent
6d129538ea
commit
3ebba0465a
|
@ -333,8 +333,11 @@ def blocks(v):
|
||||||
users = []
|
users = []
|
||||||
targets = []
|
targets = []
|
||||||
for x in blocks:
|
for x in blocks:
|
||||||
users.append(get_account(x.user_id))
|
acc_user = get_account(x.user_id)
|
||||||
targets.append(get_account(x.target_id))
|
acc_tgt = get_account(x.target_id)
|
||||||
|
if acc_user.shadowbanned or acc_tgt.shadowbanned: continue
|
||||||
|
users.append(acc_user)
|
||||||
|
targets.append(acc_tgt)
|
||||||
|
|
||||||
return render_template("blocks.html", v=v, users=users, targets=targets)
|
return render_template("blocks.html", v=v, users=users, targets=targets)
|
||||||
|
|
||||||
|
|
|
@ -379,7 +379,8 @@ def downvoting(v, username):
|
||||||
def suicide(v, username):
|
def suicide(v, username):
|
||||||
user = get_user(username)
|
user = get_user(username)
|
||||||
suicide = f"Hi there,\n\nA [concerned user](/id/{v.id}) reached out to us about you.\n\nWhen you're in the middle of something painful, it may feel like you don't have a lot of options. But whatever you're going through, you deserve help and there are people who are here for you.\n\nThere are resources available in your area that are free, confidential, and available 24/7:\n\n- Call, Text, or Chat with Canada's [Crisis Services Canada](https://www.crisisservicescanada.ca/en/)\n- Call, Email, or Visit the UK's [Samaritans](https://www.samaritans.org/)\n- Text CHAT to America's [Crisis Text Line](https://www.crisistextline.org/) at 741741.\nIf you don't see a resource in your area above, the moderators keep a comprehensive list of resources and hotlines for people organized by location. Find Someone Now\n\nIf you think you may be depressed or struggling in another way, don't ignore it or brush it aside. Take yourself and your feelings seriously, and reach out to someone.\n\nIt may not feel like it, but you have options. There are people available to listen to you, and ways to move forward.\n\nYour fellow users care about you and there are people who want to help."
|
suicide = f"Hi there,\n\nA [concerned user](/id/{v.id}) reached out to us about you.\n\nWhen you're in the middle of something painful, it may feel like you don't have a lot of options. But whatever you're going through, you deserve help and there are people who are here for you.\n\nThere are resources available in your area that are free, confidential, and available 24/7:\n\n- Call, Text, or Chat with Canada's [Crisis Services Canada](https://www.crisisservicescanada.ca/en/)\n- Call, Email, or Visit the UK's [Samaritans](https://www.samaritans.org/)\n- Text CHAT to America's [Crisis Text Line](https://www.crisistextline.org/) at 741741.\nIf you don't see a resource in your area above, the moderators keep a comprehensive list of resources and hotlines for people organized by location. Find Someone Now\n\nIf you think you may be depressed or struggling in another way, don't ignore it or brush it aside. Take yourself and your feelings seriously, and reach out to someone.\n\nIt may not feel like it, but you have options. There are people available to listen to you, and ways to move forward.\n\nYour fellow users care about you and there are people who want to help."
|
||||||
send_notification(user.id, suicide)
|
if not v.shadowbanned:
|
||||||
|
send_notification(user.id, suicide)
|
||||||
g.db.commit()
|
g.db.commit()
|
||||||
return {"message": "Help message sent!"}
|
return {"message": "Help message sent!"}
|
||||||
|
|
||||||
|
@ -412,21 +413,22 @@ def transfer_coins(v, username):
|
||||||
if not v.patron and not receiver.patron and not v.alts_patron and not receiver.alts_patron: tax = math.ceil(amount*0.03)
|
if not v.patron and not receiver.patron and not v.alts_patron and not receiver.alts_patron: tax = math.ceil(amount*0.03)
|
||||||
else: tax = 0
|
else: tax = 0
|
||||||
|
|
||||||
log_message = f"@{v.username} has transferred {amount} coins to @{receiver.username}"
|
|
||||||
send_repeatable_notification(GIFT_NOTIF_ID, log_message)
|
|
||||||
|
|
||||||
receiver.coins += amount-tax
|
|
||||||
v.coins -= amount
|
v.coins -= amount
|
||||||
|
|
||||||
notif_text = f":marseycapitalistmanlet: @{v.username} has gifted you {amount-tax} coins!"
|
if not v.shadowbanned:
|
||||||
if reason:
|
receiver.coins += amount - tax
|
||||||
if len(reason) > 200: return {"error": "Reason is too long, max 200 characters"},400
|
|
||||||
notif_text += f"\n\n> {reason}"
|
log_message = f"@{v.username} has transferred {amount} coins to @{receiver.username}"
|
||||||
|
send_repeatable_notification(GIFT_NOTIF_ID, log_message)
|
||||||
|
|
||||||
|
notif_text = f":marseycapitalistmanlet: @{v.username} has gifted you {amount-tax} coins!"
|
||||||
|
if reason:
|
||||||
|
if len(reason) > 200: return {"error": "Reason is too long, max 200 characters"},400
|
||||||
|
notif_text += f"\n\n> {reason}"
|
||||||
|
send_repeatable_notification(receiver.id, notif_text)
|
||||||
|
|
||||||
send_repeatable_notification(receiver.id, notif_text)
|
|
||||||
g.db.add(receiver)
|
g.db.add(receiver)
|
||||||
g.db.add(v)
|
g.db.add(v)
|
||||||
|
|
||||||
g.db.commit()
|
g.db.commit()
|
||||||
|
|
||||||
return {"message": f"{amount-tax} coins transferred!"}, 200
|
return {"message": f"{amount-tax} coins transferred!"}, 200
|
||||||
|
@ -448,25 +450,25 @@ def transfer_bux(v, username):
|
||||||
amount = int(amount) if amount.isdigit() else None
|
amount = int(amount) if amount.isdigit() else None
|
||||||
reason = request.values.get("reason", "").strip()
|
reason = request.values.get("reason", "").strip()
|
||||||
|
|
||||||
|
|
||||||
if not amount or amount < 0: return {"error": "Invalid amount of marseybux."}, 400
|
if not amount or amount < 0: return {"error": "Invalid amount of marseybux."}, 400
|
||||||
if v.procoins < amount: return {"error": "You don't have enough marseybux"}, 400
|
if v.procoins < amount: return {"error": "You don't have enough marseybux"}, 400
|
||||||
if amount < 100: return {"error": "You have to gift at least 100 marseybux."}, 400
|
if amount < 100: return {"error": "You have to gift at least 100 marseybux."}, 400
|
||||||
|
|
||||||
log_message = f"@{v.username} has transferred {amount} Marseybux to @{receiver.username}"
|
|
||||||
send_repeatable_notification(GIFT_NOTIF_ID, log_message)
|
|
||||||
|
|
||||||
receiver.procoins += amount
|
|
||||||
v.procoins -= amount
|
v.procoins -= amount
|
||||||
|
|
||||||
notif_text = f":marseycapitalistmanlet: @{v.username} has gifted you {amount} bux!"
|
if not v.shadowbanned:
|
||||||
if reason:
|
receiver.procoins += amount
|
||||||
notif_text += f"\n\n> {reason}"
|
|
||||||
|
log_message = f"@{v.username} has transferred {amount} Marseybux to @{receiver.username}"
|
||||||
|
send_repeatable_notification(GIFT_NOTIF_ID, log_message)
|
||||||
|
|
||||||
|
notif_text = f":marseycapitalistmanlet: @{v.username} has gifted you {amount} bux!"
|
||||||
|
if reason:
|
||||||
|
notif_text += f"\n\n> {reason}"
|
||||||
|
send_repeatable_notification(receiver.id, notif_text)
|
||||||
|
|
||||||
send_repeatable_notification(receiver.id, notif_text)
|
|
||||||
g.db.add(receiver)
|
g.db.add(receiver)
|
||||||
g.db.add(v)
|
g.db.add(v)
|
||||||
|
|
||||||
g.db.commit()
|
g.db.commit()
|
||||||
return {"message": f"{amount} marseybux transferred!"}, 200
|
return {"message": f"{amount} marseybux transferred!"}, 200
|
||||||
|
|
||||||
|
@ -870,14 +872,18 @@ def redditor_moment_redirect(username, v):
|
||||||
@auth_required
|
@auth_required
|
||||||
def followers(username, v):
|
def followers(username, v):
|
||||||
u = get_user(username, v=v)
|
u = get_user(username, v=v)
|
||||||
users = g.db.query(User).join(Follow, Follow.target_id == u.id).filter(Follow.user_id == User.id).order_by(Follow.created_utc).all()
|
users = g.db.query(User).join(Follow, Follow.target_id == u.id) \
|
||||||
|
.filter(Follow.user_id == User.id) \
|
||||||
|
.order_by(Follow.created_utc).all()
|
||||||
return render_template("followers.html", v=v, u=u, users=users)
|
return render_template("followers.html", v=v, u=u, users=users)
|
||||||
|
|
||||||
@app.get("/@<username>/following")
|
@app.get("/@<username>/following")
|
||||||
@auth_required
|
@auth_required
|
||||||
def following(username, v):
|
def following(username, v):
|
||||||
u = get_user(username, v=v)
|
u = get_user(username, v=v)
|
||||||
users = g.db.query(User).join(Follow, Follow.user_id == u.id).filter(Follow.target_id == User.id).order_by(Follow.created_utc).all()
|
users = g.db.query(User).join(Follow, Follow.user_id == u.id) \
|
||||||
|
.filter(Follow.target_id == User.id) \
|
||||||
|
.order_by(Follow.created_utc).all()
|
||||||
return render_template("following.html", v=v, u=u, users=users)
|
return render_template("following.html", v=v, u=u, users=users)
|
||||||
|
|
||||||
@app.get("/views")
|
@app.get("/views")
|
||||||
|
@ -906,6 +912,9 @@ def u_username(username, v=None):
|
||||||
if request.headers.get("Authorization") or request.headers.get("xhr"): return {"error": f"That username is reserved for: {u.reserved}"}
|
if request.headers.get("Authorization") or request.headers.get("xhr"): return {"error": f"That username is reserved for: {u.reserved}"}
|
||||||
return render_template("userpage_reserved.html", u=u, v=v)
|
return render_template("userpage_reserved.html", u=u, v=v)
|
||||||
|
|
||||||
|
if u.shadowbanned and not (v and v.admin_level >= 2):
|
||||||
|
abort(404)
|
||||||
|
|
||||||
if v and v.id not in (u.id,DAD_ID) and (u.patron or u.admin_level > 1):
|
if v and v.id not in (u.id,DAD_ID) and (u.patron or u.admin_level > 1):
|
||||||
view = g.db.query(ViewerRelationship).filter_by(viewer_id=v.id, user_id=u.id).one_or_none()
|
view = g.db.query(ViewerRelationship).filter_by(viewer_id=v.id, user_id=u.id).one_or_none()
|
||||||
|
|
||||||
|
@ -1138,7 +1147,8 @@ def unfollow_user(username, v):
|
||||||
target.stored_subscriber_count = g.db.query(Follow).filter_by(target_id=target.id).count()
|
target.stored_subscriber_count = g.db.query(Follow).filter_by(target_id=target.id).count()
|
||||||
g.db.add(target)
|
g.db.add(target)
|
||||||
|
|
||||||
send_notification(target.id, f"@{v.username} has unfollowed you!")
|
if not v.shadowbanned:
|
||||||
|
send_notification(target.id, f"@{v.username} has unfollowed you!")
|
||||||
|
|
||||||
g.db.commit()
|
g.db.commit()
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue