Fix DMs improperly treating all users as blocked.

The changes to helpers/get.py @ get_user(...) in a6b7fed2fc resulted
in `is_blocking` no longer being present on all User objects retrieved
via `get_user`. This triggered a latent identifier shadow where the
property method `User.is_blocking` on the User model caused checks for
blocks on objects retrieved via `get_user` to always return True.

Notably: when the get_user return value left `is_blocking` unset and
thus implied False, the following expression yielded True due to the
presence of the first-class function at the same identifier:

    hasattr(user, 'is_blocking') and user.is_blocking
master
Snakes 2022-07-03 13:55:25 -04:00
parent ed42f14a77
commit 9e1a3be278
3 changed files with 6 additions and 5 deletions

View File

@ -273,7 +273,7 @@ class User(Base):
return len(self.referrals) return len(self.referrals)
@lazy @lazy
def is_blocking(self, target): def has_blocked(self, target):
return g.db.query(UserBlock).filter_by(user_id=self.id, target_id=target.id).one_or_none() return g.db.query(UserBlock).filter_by(user_id=self.id, target_id=target.id).one_or_none()
@property @property

View File

@ -650,7 +650,7 @@ def settings_block_user(v):
if user.id == v.id: if user.id == v.id:
return {"error": "You can't block yourself."}, 409 return {"error": "You can't block yourself."}, 409
if v.is_blocking(user): if v.has_blocked(user):
return {"error": f"You have already blocked @{user.username}."}, 409 return {"error": f"You have already blocked @{user.username}."}, 409
if user.id == NOTIFICATIONS_ID: if user.id == NOTIFICATIONS_ID:
@ -677,7 +677,7 @@ def settings_unblock_user(v):
user = get_user(request.values.get("username")) user = get_user(request.values.get("username"))
x = v.is_blocking(user) x = v.has_blocked(user)
if not x: abort(409) if not x: abort(409)

View File

@ -629,9 +629,10 @@ def reportbugs(v):
@limiter.limit("1/second;10/minute;20/hour;50/day", key_func=lambda:f'{request.host}-{session.get("lo_user")}') @limiter.limit("1/second;10/minute;20/hour;50/day", key_func=lambda:f'{request.host}-{session.get("lo_user")}')
@is_not_permabanned @is_not_permabanned
def message2(v, username): def message2(v, username):
user = get_user(username, v=v) user = get_user(username, v=v)
if hasattr(user, 'is_blocking') and user.is_blocking: return {"error": "You're blocking this user."}, 403
if hasattr(user, 'is_blocking') and user.is_blocking:
return {"error": "You're blocking this user."}, 403
if v.admin_level <= 1 and hasattr(user, 'is_blocked') and user.is_blocked: if v.admin_level <= 1 and hasattr(user, 'is_blocked') and user.is_blocked:
return {"error": "This user is blocking you."}, 403 return {"error": "This user is blocking you."}, 403