From 8db6b3f7fd58ddca9d7123801b9511ffb6fa8d47 Mon Sep 17 00:00:00 2001 From: justcool393 Date: Thu, 6 Oct 2022 02:09:46 -0700 Subject: [PATCH] improve POST_TO_CHANGELOG check --- files/helpers/const.py | 2 +- files/routes/posts.py | 9 +++------ 2 files changed, 4 insertions(+), 7 deletions(-) diff --git a/files/helpers/const.py b/files/helpers/const.py index e44fa9d57..86c9b184f 100644 --- a/files/helpers/const.py +++ b/files/helpers/const.py @@ -146,7 +146,7 @@ PERMS = { # Minimum admin_level to perform action. 'USER_LINK': 2, 'USER_MERGE': 3, # note: extra check for Aevann 'USER_TITLE_CHANGE': 2, - 'POST_TO_CHANGELOG': 1, + 'POST_TO_CHANGELOG': 1, # note: code contributors can also post to changelog 'POST_TO_POLL_THREAD': 2, 'POST_BETS': 3, 'POST_BETS_DISTRIBUTE': 3, # probably should be the same as POST_BETS but w/e diff --git a/files/routes/posts.py b/files/routes/posts.py index 014a1ae54..73d4e67e4 100644 --- a/files/routes/posts.py +++ b/files/routes/posts.py @@ -679,12 +679,9 @@ def submit_post(v, sub=None): sub = request.values.get("sub", "").lower().replace('/h/','').strip() - if sub == 'changelog': - allowed = [] - if v.admin_level >= PERMS['POST_TO_CHANGELOG']: - allowed.append(v.id) - if v.id not in allowed: # only query for badges if doesn't have permissions (this is a bit weird tbh) - allowed = g.db.query(Badge.user_id).filter_by(badge_id=3).all() + if sub == 'changelog' and not v.admin_level >= PERMS['POST_TO_CHANGELOG']: + # we also allow 'code contributor' badgeholders to post to the changelog hole + allowed = g.db.query(Badge.user_id).filter_by(badge_id=3).all() allowed = [x[0] for x in allowed] if v.id not in allowed: return error(f"You don't have sufficient permissions to post in /h/changelog")