From 4a252e9699114acc194a03475c466bc8f5211546 Mon Sep 17 00:00:00 2001
From: justcool393 <justcool393@gmail.com>
Date: Wed, 2 Nov 2022 20:35:32 -0500
Subject: [PATCH] security: fix CSRF on internal cache dump route move dumping
 internal cache to admin tools

---
 files/routes/admin.py                 | 13 +++----------
 files/templates/admin/admin_home.html | 13 ++++++++++---
 2 files changed, 13 insertions(+), 13 deletions(-)

diff --git a/files/routes/admin.py b/files/routes/admin.py
index 94de42ee7..05f06d9ef 100644
--- a/files/routes/admin.py
+++ b/files/routes/admin.py
@@ -473,14 +473,9 @@ def change_settings(v, setting):
 
 	return {'message': f"{setting} {word}d successfully!"}
 
-
 @app.post("/admin/purge_cache")
 @admin_level_required(PERMS['SITE_CACHE_PURGE_CDN'])
 def purge_cache(v):
-	if v.admin_level >= PERMS['SITE_CACHE_DUMP_INTERNAL']:
-		online = cache.get(ONLINE_STR)
-		cache.clear()
-		cache.set(ONLINE_STR, online)
 	if not purge_entire_cache():
 		abort(400, 'Failed to purge cache')
 	ma = ModAction(
@@ -488,22 +483,20 @@ def purge_cache(v):
 		user_id=v.id
 	)
 	g.db.add(ma)
-	return {"message": "Cache purged!"}
+	return {"message": "CDN cache purged!"}
 
-@app.get("/admin/dump_cache")
+@app.post("/admin/dump_cache")
 @admin_level_required(PERMS['SITE_CACHE_DUMP_INTERNAL'])
 def admin_dump_cache(v):
 	online = cache.get(ONLINE_STR)
 	cache.clear()
 	cache.set(ONLINE_STR, online)
-
 	ma = ModAction(
 		kind="dump_cache",
 		user_id=v.id
 	)
 	g.db.add(ma)
-
-	return {"message": "Internal cache cleared."}
+	return {"message": "Internal cache cleared!"}
 
 @app.post("/admin/under_attack")
 @admin_level_required(PERMS['SITE_SETTINGS_UNDER_ATTACK'])
diff --git a/files/templates/admin/admin_home.html b/files/templates/admin/admin_home.html
index bfa5a5ff6..af44cfaf9 100644
--- a/files/templates/admin/admin_home.html
+++ b/files/templates/admin/admin_home.html
@@ -138,15 +138,22 @@
 			<label class="custom-control-label" for="under_attack">Under attack mode</label>
 		</div>
 	{% endif %}
-	{% if v.admin_level >= PERMS['SITE_CACHE_PURGE_CDN'] %}
-		<button type="button" class="btn btn-primary mt-3" onclick="postToast(this,'/admin/purge_cache');" style="margin-bottom: 2em;">PURGE CACHE</button>
-	{% endif %}
 	<br>
 	{% if SITE_NAME == 'PCM' and v.admin_level >= PERMS['PRINT_MARSEYBUX_FOR_KIPPY_ON_PCMEMES'] %}
 		<button type="button" class="btn btn-primary" onclick="postToast(this,'/kippy');" style="margin-bottom: 2em;">Print 10k Marseybux</button>
 	{% endif %}
 {% endif %}
 
+{% if v.admin_level >= PERMS['SITE_CACHE_PURGE_CDN'] or v.admin_level >= PERMS['SITE_CACHE_DUMP_INTERNAL'] %}
+	<h4>Caching</h4>
+	{% if v.admin_level >= PERMS['SITE_CACHE_PURGE_CDN'] %}
+		<button type="button" class="btn btn-primary mt-3" onclick="postToast(this,'/admin/purge_cache');" style="margin-bottom: 2em;">PURGE CDN CACHE</button>
+	{% endif %}
+	{% if v.admin_level >= PERMS['SITE_CACHE_DUMP_INTERNAL'] %}
+		<button type="button" class="btn btn-primary mt-3" onclick="postToast(this,'/admin/dump_cache');" style="margin-bottom: 2em;">DUMP INTERNAL CACHE</button>
+	{% endif %}
+{% endif %}
+
 <h4>Server Status</h4>
 <div>
 	Live Revision: <code>{{gitref}}</code> <br>