forked from MarseyWorld/MarseyWorld
Fix DMs improperly treating all users as blocked.
The changes to helpers/get.py @ get_user(...) in a6b7fed2fc
resulted
in `is_blocking` no longer being present on all User objects retrieved
via `get_user`. This triggered a latent identifier shadow where the
property method `User.is_blocking` on the User model caused checks for
blocks on objects retrieved via `get_user` to always return True.
Notably: when the get_user return value left `is_blocking` unset and
thus implied False, the following expression yielded True due to the
presence of the first-class function at the same identifier:
hasattr(user, 'is_blocking') and user.is_blocking
master
parent
ed42f14a77
commit
9e1a3be278
|
@ -273,7 +273,7 @@ class User(Base):
|
||||||
return len(self.referrals)
|
return len(self.referrals)
|
||||||
|
|
||||||
@lazy
|
@lazy
|
||||||
def is_blocking(self, target):
|
def has_blocked(self, target):
|
||||||
return g.db.query(UserBlock).filter_by(user_id=self.id, target_id=target.id).one_or_none()
|
return g.db.query(UserBlock).filter_by(user_id=self.id, target_id=target.id).one_or_none()
|
||||||
|
|
||||||
@property
|
@property
|
||||||
|
|
|
@ -650,7 +650,7 @@ def settings_block_user(v):
|
||||||
if user.id == v.id:
|
if user.id == v.id:
|
||||||
return {"error": "You can't block yourself."}, 409
|
return {"error": "You can't block yourself."}, 409
|
||||||
|
|
||||||
if v.is_blocking(user):
|
if v.has_blocked(user):
|
||||||
return {"error": f"You have already blocked @{user.username}."}, 409
|
return {"error": f"You have already blocked @{user.username}."}, 409
|
||||||
|
|
||||||
if user.id == NOTIFICATIONS_ID:
|
if user.id == NOTIFICATIONS_ID:
|
||||||
|
@ -677,7 +677,7 @@ def settings_unblock_user(v):
|
||||||
|
|
||||||
user = get_user(request.values.get("username"))
|
user = get_user(request.values.get("username"))
|
||||||
|
|
||||||
x = v.is_blocking(user)
|
x = v.has_blocked(user)
|
||||||
|
|
||||||
if not x: abort(409)
|
if not x: abort(409)
|
||||||
|
|
||||||
|
|
|
@ -629,9 +629,10 @@ def reportbugs(v):
|
||||||
@limiter.limit("1/second;10/minute;20/hour;50/day", key_func=lambda:f'{request.host}-{session.get("lo_user")}')
|
@limiter.limit("1/second;10/minute;20/hour;50/day", key_func=lambda:f'{request.host}-{session.get("lo_user")}')
|
||||||
@is_not_permabanned
|
@is_not_permabanned
|
||||||
def message2(v, username):
|
def message2(v, username):
|
||||||
|
|
||||||
user = get_user(username, v=v)
|
user = get_user(username, v=v)
|
||||||
if hasattr(user, 'is_blocking') and user.is_blocking: return {"error": "You're blocking this user."}, 403
|
|
||||||
|
if hasattr(user, 'is_blocking') and user.is_blocking:
|
||||||
|
return {"error": "You're blocking this user."}, 403
|
||||||
|
|
||||||
if v.admin_level <= 1 and hasattr(user, 'is_blocked') and user.is_blocked:
|
if v.admin_level <= 1 and hasattr(user, 'is_blocked') and user.is_blocked:
|
||||||
return {"error": "This user is blocking you."}, 403
|
return {"error": "This user is blocking you."}, 403
|
||||||
|
|
Loading…
Reference in New Issue