carpathianflorist
/
MarseyWorld
forked from MarseyWorld/MarseyWorld
1
0
Fork 0
Code Pull Requests Activity

Fix shop double-spend exploit.

master
Snakes 2022-09-16 04:43:20 -04:00
parent bb1852709b
commit 54cae4b570
Signed by: Snakes
GPG Key ID: E745A82778055C7E
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
files/routes/awards.py
View File

@ -67,10 +67,10 @@ def buy(v, award):
if request.values.get("mb"): if request.values.get("mb"):
if v.procoins < price: return {"error": "Not enough marseybux."}, 400 if v.procoins < price: return {"error": "Not enough marseybux."}, 400
if award == "grass": return {"error": "You can't buy the grass award with marseybux."}, 403 if award == "grass": return {"error": "You can't buy the grass award with marseybux."}, 403
v.procoins -= price v.charge_account('procoins', price)
else: else:
if v.coins < price: return {"error": "Not enough coins."}, 400 if v.coins < price: return {"error": "Not enough coins."}, 400
v.coins -= price v.charge_account('coins', price)
v.coins_spent += price v.coins_spent += price
if v.coins_spent >= 1000000: if v.coins_spent >= 1000000:
badge_grant(badge_id=73, user=v) badge_grant(badge_id=73, user=v)