From 9e1a3be278163b3bf3389dfba4068e6d6fcb2190 Mon Sep 17 00:00:00 2001 From: TLSM Date: Sun, 3 Jul 2022 13:55:25 -0400 Subject: [PATCH] Fix DMs improperly treating all users as blocked. The changes to helpers/get.py @ get_user(...) in a6b7fed2fcb4 resulted in `is_blocking` no longer being present on all User objects retrieved via `get_user`. This triggered a latent identifier shadow where the property method `User.is_blocking` on the User model caused checks for blocks on objects retrieved via `get_user` to always return True. Notably: when the get_user return value left `is_blocking` unset and thus implied False, the following expression yielded True due to the presence of the first-class function at the same identifier: hasattr(user, 'is_blocking') and user.is_blocking --- files/classes/user.py | 2 +- files/routes/settings.py | 4 ++-- files/routes/users.py | 5 +++-- 3 files changed, 6 insertions(+), 5 deletions(-) diff --git a/files/classes/user.py b/files/classes/user.py index 051add207..f84099d7c 100644 --- a/files/classes/user.py +++ b/files/classes/user.py @@ -273,7 +273,7 @@ class User(Base): return len(self.referrals) @lazy - def is_blocking(self, target): + def has_blocked(self, target): return g.db.query(UserBlock).filter_by(user_id=self.id, target_id=target.id).one_or_none() @property diff --git a/files/routes/settings.py b/files/routes/settings.py index 421f1f91a..ec4256bb0 100644 --- a/files/routes/settings.py +++ b/files/routes/settings.py @@ -650,7 +650,7 @@ def settings_block_user(v): if user.id == v.id: return {"error": "You can't block yourself."}, 409 - if v.is_blocking(user): + if v.has_blocked(user): return {"error": f"You have already blocked @{user.username}."}, 409 if user.id == NOTIFICATIONS_ID: @@ -677,7 +677,7 @@ def settings_unblock_user(v): user = get_user(request.values.get("username")) - x = v.is_blocking(user) + x = v.has_blocked(user) if not x: abort(409) diff --git a/files/routes/users.py b/files/routes/users.py index 9be4f46d3..5e0bf08c0 100644 --- a/files/routes/users.py +++ b/files/routes/users.py @@ -629,9 +629,10 @@ def reportbugs(v): @limiter.limit("1/second;10/minute;20/hour;50/day", key_func=lambda:f'{request.host}-{session.get("lo_user")}') @is_not_permabanned def message2(v, username): - user = get_user(username, v=v) - if hasattr(user, 'is_blocking') and user.is_blocking: return {"error": "You're blocking this user."}, 403 + + if hasattr(user, 'is_blocking') and user.is_blocking: + return {"error": "You're blocking this user."}, 403 if v.admin_level <= 1 and hasattr(user, 'is_blocked') and user.is_blocked: return {"error": "This user is blocking you."}, 403