carpathianflorist
/
MarseyWorld
forked from MarseyWorld/MarseyWorld
1
0
Fork 0
Code Pull Requests Activity

fix weird CSP form action bug

master
Aevann 2024-11-14 19:47:27 +02:00
parent 502ae2ebe6
commit 5fa03082ab
2 changed files with 32 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
files/routes/settings.py
View File

@ -636,30 +636,6 @@ def settings_log_out_others(v):
return {"message": "All other devices have been logged out!"} return {"message": "All other devices have been logged out!"}
@app.post("/settings/delete_account")
@limiter.limit('1/second', scope=rpath)
@limiter.limit('1/second', scope=rpath, key_func=get_ID)
@limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400)
@limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400, key_func=get_ID)
@auth_required
def settings_delete_account(v):
submitted_password = request.values.get("password", "").strip()
if not v.verifyPass(submitted_password):
stop(400, "Incorrect password!")
if not FEATURES['ACCOUNT_DELETION']:
return redirect(f"{SITE_FULL_IMAGES}/i/mrburns.webp")
v.login_nonce += 1
g.db.add(v)
account_deletion = AccountDeletion(user_id=v.id)
g.db.add(account_deletion)
return render_template("message.html",
title="Your account will be deleted in 30 days.",
message="You can (and should) log back in before then to cancel this. Not that we want you here or anything. Whatever bitch."), 202
@app.post("/settings/images/profile") @app.post("/settings/images/profile")
@limiter.limit('1/second', scope=rpath) @limiter.limit('1/second', scope=rpath)
@limiter.limit('1/second', scope=rpath, key_func=get_ID) @limiter.limit('1/second', scope=rpath, key_func=get_ID)
@ -1195,3 +1171,30 @@ def settings_age(v):
x.ban(reason="Underage (age input)", days=remaining_days, modlog=False, original_user=v) x.ban(reason="Underage (age input)", days=remaining_days, modlog=False, original_user=v)
return {"message": "Age successfully updated!"} return {"message": "Age successfully updated!"}
if FEATURES['ACCOUNT_DELETION']:
@app.post("/settings/delete_account")
@limiter.limit('1/second', scope=rpath)
@limiter.limit('1/second', scope=rpath, key_func=get_ID)
@limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400)
@limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400, key_func=get_ID)
@auth_required
def settings_delete_account(v):
submitted_password = request.values.get("password", "").strip()
if not v.verifyPass(submitted_password):
stop(400, "Incorrect password!")
v.login_nonce += 1
g.db.add(v)
account_deletion = AccountDeletion(user_id=v.id)
g.db.add(account_deletion)
return render_template("message.html",
title="Your account will be deleted in 30 days.",
message="You can (and should) log back in before then to cancel this. Not that we want you here or anything. Whatever bitch."), 202
else:
@app.get("/settings/delete_account")
def settings_delete_account(v):
return redirect(f"{SITE_FULL_IMAGES}/i/mrburns.webp")

6
files/templates/settings/security.html
View File

@ -137,7 +137,11 @@
</div> </div>
<div class="footer"> <div class="footer">
<div class="d-flex"> <div class="d-flex">
<input autocomplete="off" class="btn btn-primary ml-auto" type="submit" value="Request Account Deletion"> {% if FEATURES['ACCOUNT_DELETION'] %}
<input autocomplete="off" class="btn btn-primary ml-auto" type="submit" value="Request Account Deletion">
{% else %}
<a class="btn btn-primary ml-auto" href="/settings/delete_account">Request Account Deletion</a>
{% endif %}
</div> </div>
</div> </div>
</form> </form>