Reorder decorators to support f63237a9a2.

Ultimately necessary because otherwise all bots share rate limits with each other. The somewhat haphazard ordering of decorators bothers me, but it's functionally required. Approaches using request context (like reading the Authorization header in ratelimit_user) likely produce bugs all their own.
2022-11-13 05:18:52 -05:00 · 2022-11-13 05:18:52 -05:00 · 8fee66c894
parent f63237a9a2
commit 8fee66c894
11 changed files with 50 additions and 50 deletions
--- a/files/mail/init.py
+++ b/files/mail/init.py
@ -51,8 +51,8 @@ def send_verification_email(user, email=None):

@app.post("/verify_email")
@limiter.limit(DEFAULT_RATELIMIT_SLOWER)
-@ratelimit_user()
@auth_required
+@ratelimit_user()
 def verify_email(v):

 	send_verification_email(v)
--- a/files/routes/awards.py
+++ b/files/routes/awards.py
@ -121,8 +121,8 @@ def buy(v, award):

@app.post("/award/<thing_type>/<id>")
@limiter.limit(DEFAULT_RATELIMIT_SLOWER)
-@ratelimit_user()
@is_not_permabanned
+@ratelimit_user()
@feature_required('AWARDS')
 def award_thing(v, thing_type, id):
 	if thing_type == 'post': 
--- a/files/routes/comments.py
+++ b/files/routes/comments.py
@ -458,8 +458,8 @@ def edit_comment(cid, v):

@app.post("/delete/comment/<cid>")
@limiter.limit(DEFAULT_RATELIMIT_SLOWER)
-@ratelimit_user()
@auth_required
+@ratelimit_user()
 def delete_comment(cid, v):

 	c = get_comment(cid, v=v)
@ -486,8 +486,8 @@ def delete_comment(cid, v):

@app.post("/undelete/comment/<cid>")
@limiter.limit(DEFAULT_RATELIMIT_SLOWER)
-@ratelimit_user()
@auth_required
+@ratelimit_user()
 def undelete_comment(cid, v):

 	c = get_comment(cid, v=v)
@ -558,8 +558,8 @@ def unpin_comment(cid, v):

@app.post("/save_comment/<cid>")
@limiter.limit(DEFAULT_RATELIMIT_SLOWER)
-@ratelimit_user()
@auth_required
+@ratelimit_user()
 def save_comment(cid, v):

 	comment=get_comment(cid)
@ -575,8 +575,8 @@ def save_comment(cid, v):

@app.post("/unsave_comment/<cid>")
@limiter.limit(DEFAULT_RATELIMIT_SLOWER)
-@ratelimit_user()
@auth_required
+@ratelimit_user()
 def unsave_comment(cid, v):

 	comment=get_comment(cid)
@ -611,8 +611,8 @@ def diff_words(answer, guess):

@app.post("/wordle/<cid>")
@limiter.limit(DEFAULT_RATELIMIT_SLOWER)
-@ratelimit_user()
@auth_required
+@ratelimit_user()
 def handle_wordle_action(cid, v):
 	comment = get_comment(cid)

--- a/files/routes/login.py
+++ b/files/routes/login.py
@ -181,8 +181,8 @@ def me(v):

@app.post("/logout")
@limiter.limit(DEFAULT_RATELIMIT_SLOWER)
-@ratelimit_user()
@auth_required
+@ratelimit_user()
 def logout(v):

 	loggedin = cache.get(f'{SITE}_loggedin') or {}
--- a/files/routes/notifications.py
+++ b/files/routes/notifications.py
@ -5,8 +5,8 @@ from files.__main__ import app
 import time

@app.post("/clear")
-@ratelimit_user()
@auth_required
+@ratelimit_user()
 def clear(v):
 	notifs = g.db.query(Notification).join(Notification.comment).filter(Notification.read == False, Notification.user_id == v.id).all()
 	for n in notifs:
@ -19,8 +19,8 @@ def clear(v):


@app.get("/unread")
-@ratelimit_user()
@auth_required
+@ratelimit_user()
 def unread(v):
 	listing = g.db.query(Notification, Comment).join(Notification.comment).filter(
 		Notification.read == False,
--- a/files/routes/oauth.py
+++ b/files/routes/oauth.py
@ -18,8 +18,8 @@ def authorize_prompt(v):

@app.post("/authorize")
@limiter.limit(DEFAULT_RATELIMIT_SLOWER)
-@ratelimit_user()
@auth_required
+@ratelimit_user()
 def authorize(v):

 	client_id = request.values.get("client_id")
@ -40,8 +40,8 @@ def authorize(v):

@app.post("/rescind/<aid>")
@limiter.limit(DEFAULT_RATELIMIT_SLOWER)
-@ratelimit_user()
@auth_required
+@ratelimit_user()
 def rescind(v, aid):

 	auth = g.db.query(ClientAuth).filter_by(oauth_client = aid, user_id = v.id).one_or_none()
@ -52,8 +52,8 @@ def rescind(v, aid):

@app.post("/api_keys")
@limiter.limit(DEFAULT_RATELIMIT_SLOWER)
-@ratelimit_user()
@is_not_permabanned
+@ratelimit_user()
 def request_api_keys(v):

 	new_app = OauthApp(
@ -94,8 +94,8 @@ def request_api_keys(v):

@app.post("/delete_app/<aid>")
@limiter.limit(DEFAULT_RATELIMIT_SLOWER)
-@ratelimit_user()
@auth_required
+@ratelimit_user()
 def delete_oauth_app(v, aid):
 	try:
 		aid = int(aid)
@ -117,8 +117,8 @@ def delete_oauth_app(v, aid):

@app.post("/edit_app/<aid>")
@limiter.limit(DEFAULT_RATELIMIT_SLOWER)
-@ratelimit_user()
@is_not_permabanned
+@ratelimit_user()
 def edit_oauth_app(v, aid):
 	try:
 		aid = int(aid)
@ -285,8 +285,8 @@ def admin_apps_list(v):

@app.post("/reroll/<aid>")
@limiter.limit(DEFAULT_RATELIMIT_SLOWER)
-@ratelimit_user()
@auth_required
+@ratelimit_user()
 def reroll_oauth_tokens(aid, v):

 	aid = aid
--- a/files/routes/posts.py
+++ b/files/routes/posts.py
@ -79,8 +79,8 @@ def unclub_post(pid, v):

@app.post("/publish/<pid>")
@limiter.limit(DEFAULT_RATELIMIT_SLOWER)
-@ratelimit_user()
@auth_required
+@ratelimit_user()
 def publish(pid, v):
 	post = get_post(pid)
 	if not post.private: return {"message": "Post published!"}
@ -955,8 +955,8 @@ def submit_post(v, sub=None):

@app.post("/delete_post/<pid>")
@limiter.limit(DEFAULT_RATELIMIT_SLOWER)
-@ratelimit_user()
@auth_required
+@ratelimit_user()
 def delete_post_pid(pid, v):
 	post = get_post(pid)
 	if post.author_id != v.id: abort(403)
@ -982,8 +982,8 @@ def delete_post_pid(pid, v):

@app.post("/undelete_post/<pid>")
@limiter.limit(DEFAULT_RATELIMIT_SLOWER)
-@ratelimit_user()
@auth_required
+@ratelimit_user()
 def undelete_post_pid(pid, v):
 	post = get_post(pid)
 	if post.author_id != v.id: abort(403)
@ -1038,8 +1038,8 @@ def toggle_post_nsfw(pid, v):

@app.post("/save_post/<pid>")
@limiter.limit(DEFAULT_RATELIMIT_SLOWER)
-@ratelimit_user()
@auth_required
+@ratelimit_user()
 def save_post(pid, v):

 	post=get_post(pid)
@ -1054,8 +1054,8 @@ def save_post(pid, v):

@app.post("/unsave_post/<pid>")
@limiter.limit(DEFAULT_RATELIMIT_SLOWER)
-@ratelimit_user()
@auth_required
+@ratelimit_user()
 def unsave_post(pid, v):

 	post=get_post(pid)
--- a/files/routes/reporting.py
+++ b/files/routes/reporting.py
@ -9,8 +9,8 @@ from files.helpers.sanitize import filter_emojis_only

@app.post("/report/post/<pid>")
@limiter.limit(DEFAULT_RATELIMIT_SLOWER)
-@ratelimit_user()
@auth_required
+@ratelimit_user()
 def flag_post(pid, v):
 	post = get_post(pid)
 	reason = request.values.get("reason", "").strip()
@ -62,8 +62,8 @@ def flag_post(pid, v):

@app.post("/report/comment/<cid>")
@limiter.limit(DEFAULT_RATELIMIT_SLOWER)
-@ratelimit_user()
@auth_required
+@ratelimit_user()
 def flag_comment(cid, v):

 	comment = get_comment(cid)
--- a/files/routes/settings.py
+++ b/files/routes/settings.py
@ -28,8 +28,8 @@ def settings_personal(v):

@app.delete('/settings/background')
@limiter.limit(DEFAULT_RATELIMIT_SLOWER)
-@ratelimit_user()
@auth_required
+@ratelimit_user()
 def remove_background(v):
 	if v.background:
 		v.background = None
@ -38,8 +38,8 @@ def remove_background(v):

@app.post("/settings/personal")
@limiter.limit(DEFAULT_RATELIMIT_SLOWER)
-@ratelimit_user()
@auth_required
+@ratelimit_user()
 def settings_personal_post(v):
 	updated = False

@ -319,22 +319,22 @@ def set_color(v:User, attr:str, color:Optional[str]):

@app.post("/settings/namecolor")
@limiter.limit(DEFAULT_RATELIMIT_SLOWER)
-@ratelimit_user()
@auth_required
+@ratelimit_user()
 def namecolor(v):
 	return set_color(v, "namecolor", request.values.get("namecolor"))
 	
@app.post("/settings/themecolor")
@limiter.limit(DEFAULT_RATELIMIT_SLOWER)
-@ratelimit_user()
@auth_required
+@ratelimit_user()
 def themecolor(v):
 	return set_color(v, "themecolor", request.values.get("themecolor"))

@app.post("/settings/gumroad")
@limiter.limit(DEFAULT_RATELIMIT_SLOWER)
-@ratelimit_user()
@auth_required
+@ratelimit_user()
 def gumroad(v):
 	if not (v.email and v.is_activated):
 		abort(400, f"You must have a verified email to verify {patron} status and claim your rewards!")
@ -369,23 +369,23 @@ def gumroad(v):

@app.post("/settings/titlecolor")
@limiter.limit(DEFAULT_RATELIMIT_SLOWER)
-@ratelimit_user()
@auth_required
+@ratelimit_user()
 def titlecolor(v):
 	return set_color(v, "titlecolor", request.values.get("titlecolor"))

@app.post("/settings/verifiedcolor")
@limiter.limit(DEFAULT_RATELIMIT_SLOWER)
-@ratelimit_user()
@auth_required
+@ratelimit_user()
 def verifiedcolor(v):
 	if not v.verified: abort(403, "You don't have a checkmark")
 	return set_color(v, "verifiedcolor", "verifiedcolor")

@app.post("/settings/security")
@limiter.limit(DEFAULT_RATELIMIT_SLOWER)
-@ratelimit_user()
@auth_required
+@ratelimit_user()
 def settings_security_post(v):
 	if request.values.get("new_password"):
 		if request.values.get("new_password") != request.values.get("cnf_password"):
@ -457,8 +457,8 @@ def settings_security_post(v):

@app.post("/settings/log_out_all_others")
@limiter.limit(DEFAULT_RATELIMIT_SLOWER)
-@ratelimit_user()
@auth_required
+@ratelimit_user()
 def settings_log_out_others(v):
 	submitted_password = request.values.get("password", "").strip()
 	if not v.verifyPass(submitted_password):
@ -472,8 +472,8 @@ def settings_log_out_others(v):

@app.post("/settings/images/profile")
@limiter.limit(DEFAULT_RATELIMIT_SLOWER)
-@ratelimit_user()
@auth_required
+@ratelimit_user()
 def settings_images_profile(v):
 	if request.headers.get("cf-ipcountry") == "T1": abort(403, "Image uploads are not allowed through TOR.")

@ -507,8 +507,8 @@ def settings_images_profile(v):

@app.post("/settings/images/banner")
@limiter.limit(DEFAULT_RATELIMIT_SLOWER)
-@ratelimit_user()
@auth_required
+@ratelimit_user()
@feature_required('USERS_PROFILE_BANNER')
 def settings_images_banner(v):
 	if request.headers.get("cf-ipcountry") == "T1": abort(403, "Image uploads are not allowed through TOR.")
@ -535,8 +535,8 @@ def settings_css_get(v):

@app.post("/settings/css")
@limiter.limit(DEFAULT_RATELIMIT_SLOWER)
-@ratelimit_user()
@auth_required
+@ratelimit_user()
 def settings_css(v):
 	if v.agendaposter: abort(400, "Agendapostered users can't edit CSS!")
 	css = request.values.get("css", v.css).strip().replace('\\', '').strip()[:4000]
@ -549,8 +549,8 @@ def settings_css(v):

@app.post("/settings/profilecss")
@limiter.limit(DEFAULT_RATELIMIT_SLOWER)
-@ratelimit_user()
@auth_required
+@ratelimit_user()
 def settings_profilecss(v):
 	profilecss = request.values.get("profilecss", v.profilecss).strip().replace('\\', '').strip()[:4000]
 	valid, error = validate_css(profilecss)
@ -598,8 +598,8 @@ def settings_block_user(v):

@app.post("/settings/unblock")
@limiter.limit(DEFAULT_RATELIMIT_SLOWER)
-@ratelimit_user()
@auth_required
+@ratelimit_user()
 def settings_unblock_user(v):
 	user = get_user(request.values.get("username"))
 	x = v.has_blocked(user)
@ -622,8 +622,8 @@ def settings_advanced_get(v):

@app.post("/settings/name_change")
@limiter.limit(DEFAULT_RATELIMIT_SLOWER)
-@ratelimit_user()
@is_not_permabanned
+@ratelimit_user()
 def settings_name_change(v):
 	new_name=request.values.get("name").strip()

@ -764,8 +764,8 @@ def settings_song_change(v):

@app.post("/settings/title_change")
@limiter.limit(DEFAULT_RATELIMIT_SLOWER)
-@ratelimit_user()
@auth_required
+@ratelimit_user()
 def settings_title_change(v):
 	if v.flairchanged: abort(403)
 	
@ -788,8 +788,8 @@ def settings_title_change(v):

@app.post("/settings/pronouns_change")
@limiter.limit(DEFAULT_RATELIMIT_SLOWER)
-@ratelimit_user()
@auth_required
+@ratelimit_user()
@feature_required('PRONOUNS')
 def settings_pronouns_change(v):
 	pronouns = sanitize_settings_text(request.values.get("pronouns"))
@ -815,8 +815,8 @@ def settings_pronouns_change(v):

@app.post("/settings/checkmark_text")
@limiter.limit(DEFAULT_RATELIMIT_SLOWER)
-@ratelimit_user()
@auth_required
+@ratelimit_user()
 def settings_checkmark_text(v):
 	if not v.verified: abort(403)
 	new_name = sanitize_settings_text(request.values.get("checkmark-text"), 100)
--- a/files/routes/subs.py
+++ b/files/routes/subs.py
@ -387,8 +387,8 @@ def sub_settings(v, sub):

@app.post('/h/<sub>/sidebar')
@limiter.limit(DEFAULT_RATELIMIT_SLOWER)
-@ratelimit_user()
@is_not_permabanned
+@ratelimit_user()
 def post_sub_sidebar(v, sub):
 	sub = get_sub_by_name(sub)
 	if not v.mods(sub.name): abort(403)
@ -412,8 +412,8 @@ def post_sub_sidebar(v, sub):

@app.post('/h/<sub>/css')
@limiter.limit(DEFAULT_RATELIMIT_SLOWER)
-@ratelimit_user()
@is_not_permabanned
+@ratelimit_user()
 def post_sub_css(v, sub):
 	sub = get_sub_by_name(sub)
 	css = request.values.get('css', '').strip()
--- a/files/routes/users.py
+++ b/files/routes/users.py
@ -313,15 +313,15 @@ def transfer_currency(v:User, username:str, currency_name:Literal['coins', 'proc
 	
@app.post("/@<username>/transfer_coins")
@limiter.limit(DEFAULT_RATELIMIT_SLOWER)
-@ratelimit_user()
@is_not_permabanned
+@ratelimit_user()
 def transfer_coins(v, username):
 	return transfer_currency(v, username, 'coins', True)

@app.post("/@<username>/transfer_bux")
@limiter.limit(DEFAULT_RATELIMIT_SLOWER)
-@ratelimit_user()
@is_not_permabanned
+@ratelimit_user()
@feature_required('PROCOINS')
 def transfer_bux(v, username):
 	return transfer_currency(v, username, 'procoins', False)
@ -393,8 +393,8 @@ def song(song):

@app.post("/subscribe/<post_id>")
@limiter.limit(DEFAULT_RATELIMIT_SLOWER)
-@ratelimit_user()
@auth_required
+@ratelimit_user()
 def subscribe(v, post_id):
 	existing = g.db.query(Subscription).filter_by(user_id=v.id, submission_id=post_id).one_or_none()
 	if not existing:
@ -404,8 +404,8 @@ def subscribe(v, post_id):
 	
@app.post("/unsubscribe/<post_id>")
@limiter.limit(DEFAULT_RATELIMIT_SLOWER)
-@ratelimit_user()
@auth_required
+@ratelimit_user()
 def unsubscribe(v, post_id):
 	existing = g.db.query(Subscription).filter_by(user_id=v.id, submission_id=post_id).one_or_none()
 	if existing:
@ -832,8 +832,8 @@ def u_user_id_info(id, v=None):

@app.post("/follow/<username>")
@limiter.limit(DEFAULT_RATELIMIT_SLOWER)
-@ratelimit_user()
@auth_required
+@ratelimit_user()
 def follow_user(username, v):

 	target = get_user(username, v=v, include_shadowbanned=False)
@ -859,8 +859,8 @@ def follow_user(username, v):

@app.post("/unfollow/<username>")
@limiter.limit(DEFAULT_RATELIMIT_SLOWER)
-@ratelimit_user()
@auth_required
+@ratelimit_user()
 def unfollow_user(username, v):

 	target = get_user(username)
@ -887,8 +887,8 @@ def unfollow_user(username, v):

@app.post("/remove_follow/<username>")
@limiter.limit(DEFAULT_RATELIMIT_SLOWER)
-@ratelimit_user()
@auth_required
+@ratelimit_user()
 def remove_follow(username, v):
 	target = get_user(username)