From 5fa03082ab18bb5e707bd09cdc827a3223255ad1 Mon Sep 17 00:00:00 2001
From: Aevann <randomname42029@gmail.com>
Date: Thu, 14 Nov 2024 19:47:27 +0200
Subject: [PATCH] fix weird CSP form action bug

---
 files/routes/settings.py               | 51 ++++++++++++++------------
 files/templates/settings/security.html |  6 ++-
 2 files changed, 32 insertions(+), 25 deletions(-)

diff --git a/files/routes/settings.py b/files/routes/settings.py
index 4cc6af1bc..4e62235e6 100644
--- a/files/routes/settings.py
+++ b/files/routes/settings.py
@@ -636,30 +636,6 @@ def settings_log_out_others(v):
 
 	return {"message": "All other devices have been logged out!"}
 
-@app.post("/settings/delete_account")
-@limiter.limit('1/second', scope=rpath)
-@limiter.limit('1/second', scope=rpath, key_func=get_ID)
-@limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400)
-@limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400, key_func=get_ID)
-@auth_required
-def settings_delete_account(v):
-	submitted_password = request.values.get("password", "").strip()
-	if not v.verifyPass(submitted_password):
-		stop(400, "Incorrect password!")
-
-	if not FEATURES['ACCOUNT_DELETION']:
-		return redirect(f"{SITE_FULL_IMAGES}/i/mrburns.webp")
-
-	v.login_nonce += 1
-	g.db.add(v)
-
-	account_deletion = AccountDeletion(user_id=v.id)
-	g.db.add(account_deletion)
-
-	return render_template("message.html",
-					title="Your account will be deleted in 30 days.",
-					message="You can (and should) log back in before then to cancel this. Not that we want you here or anything. Whatever bitch."), 202
-
 @app.post("/settings/images/profile")
 @limiter.limit('1/second', scope=rpath)
 @limiter.limit('1/second', scope=rpath, key_func=get_ID)
@@ -1195,3 +1171,30 @@ def settings_age(v):
 			x.ban(reason="Underage (age input)", days=remaining_days, modlog=False, original_user=v)
 
 	return {"message": "Age successfully updated!"}
+
+
+if FEATURES['ACCOUNT_DELETION']:
+	@app.post("/settings/delete_account")
+	@limiter.limit('1/second', scope=rpath)
+	@limiter.limit('1/second', scope=rpath, key_func=get_ID)
+	@limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400)
+	@limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400, key_func=get_ID)
+	@auth_required
+	def settings_delete_account(v):
+		submitted_password = request.values.get("password", "").strip()
+		if not v.verifyPass(submitted_password):
+			stop(400, "Incorrect password!")
+
+		v.login_nonce += 1
+		g.db.add(v)
+
+		account_deletion = AccountDeletion(user_id=v.id)
+		g.db.add(account_deletion)
+
+		return render_template("message.html",
+						title="Your account will be deleted in 30 days.",
+						message="You can (and should) log back in before then to cancel this. Not that we want you here or anything. Whatever bitch."), 202
+else:
+	@app.get("/settings/delete_account")
+	def settings_delete_account(v):
+		return redirect(f"{SITE_FULL_IMAGES}/i/mrburns.webp")
\ No newline at end of file
diff --git a/files/templates/settings/security.html b/files/templates/settings/security.html
index 6502187f7..d78afe7ba 100644
--- a/files/templates/settings/security.html
+++ b/files/templates/settings/security.html
@@ -137,7 +137,11 @@
 						</div>
 						<div class="footer">
 							<div class="d-flex">
-								<input autocomplete="off" class="btn btn-primary ml-auto" type="submit" value="Request Account Deletion">
+								{% if FEATURES['ACCOUNT_DELETION'] %}
+									<input autocomplete="off" class="btn btn-primary ml-auto" type="submit" value="Request Account Deletion">
+								{% else %}
+									<a class="btn btn-primary ml-auto" href="/settings/delete_account">Request Account Deletion</a>
+								{% endif %}
 							</div>
 						</div>
 					</form>