From 856f155b4138c40efeb31b1cbf628abee8115958 Mon Sep 17 00:00:00 2001 From: DrTransmisia <95589613+DrTransmisia@users.noreply.github.com> Date: Sun, 24 Jul 2022 17:03:19 +0200 Subject: [PATCH] Errorcodejihad (#323) * formatmaxxing brained formatting * formatmaxxing brained formatting: EPISODE 2 * Start implementing a .json interface for all logged users reddit-like PROs: - easier to debugmaxx applications - good faith actors can scrap the site more easly :gigachadglow: CONs: - bad faith actors can scrap the site more easly :gigachadglow: - jannitors lose a little of their power of allowlisting applications (they do it for free though) anyways. I make this commit a separate commit so that Snakes can esclude it from the PR if he doesn't like it (cringe) * //comments route now returns appropriate [citation needed] HTTP codes when called in JSON mode so that stupid JSON clients can crashmaxx * More error codes (sorry I don't know how to squash) * json endpoint. see other commit. I don't know how to squash --- files/routes/users.py | 63 ++++++++++++++++++++++++++++++------------- 1 file changed, 44 insertions(+), 19 deletions(-) diff --git a/files/routes/users.py b/files/routes/users.py index eec72cd9f6..71a5493f5f 100644 --- a/files/routes/users.py +++ b/files/routes/users.py @@ -902,12 +902,16 @@ def visitors(v): @app.get("/@") +@app.get("/@.json") @app.get("/logged_out/@") @auth_desired def u_username(username, v=None): - if not v and not request.path.startswith('/logged_out'): return redirect(f"/logged_out{request.full_path.rstrip('?')}") - if v and request.path.startswith('/logged_out'): return redirect(request.full_path.replace('/logged_out','').rstrip('?')) + if not v and not request.path.startswith('/logged_out'): + return redirect(f"/logged_out{request.full_path.rstrip('?')}") + + if v and request.path.startswith('/logged_out'): + return redirect(request.full_path.replace('/logged_out','').rstrip('?')) u = get_user(username, v=v, rendered=True) @@ -921,7 +925,9 @@ def u_username(username, v=None): return redirect(SITE_FULL + request.full_path.replace(username, u.username)[:-1]) if u.reserved: - if request.headers.get("Authorization") or request.headers.get("xhr"): return {"error": f"That username is reserved for: {u.reserved}"} + if request.headers.get("Authorization") or request.headers.get("xhr") or request.path.endswith(".json"): + return {"error": f"That username is reserved for: {u.reserved}"}, 418 + return render_template("userpage_reserved.html", u=u, v=v) if u.shadowbanned and not (v and v.admin_level >= 2) and not (v and v.id == u.id): @@ -937,17 +943,23 @@ def u_username(username, v=None): if u.is_private and (not v or (v.id != u.id and v.admin_level < 2 and not v.eye)): - if request.headers.get("Authorization") or request.headers.get("xhr"): return {"error": "That userpage is private"} + if request.headers.get("Authorization") or request.headers.get("xhr") or request.path.endswith(".json"): + return {"error": "That userpage is private"}, 403 + return render_template("userpage_private.html", u=u, v=v) if v and hasattr(u, 'is_blocking') and u.is_blocking: - if request.headers.get("Authorization") or request.headers.get("xhr"): return {"error": f"You are blocking @{u.username}."} + if request.headers.get("Authorization") or request.headers.get("xhr") or request.path.endswith(".json"): + return {"error": f"You are blocking @{u.username}."}, 403 + return render_template("userpage_blocking.html", u=u, v=v) if v and v.admin_level < 2 and hasattr(u, 'is_blocked') and u.is_blocked: - if request.headers.get("Authorization") or request.headers.get("xhr"): return {"error": "This person is blocking you."} + if request.headers.get("Authorization") or request.headers.get("xhr") or request.path.endswith(".json"): + return {"error": "This person is blocking you."}, 403 + return render_template("userpage_blocked.html", u=u, v=v) @@ -971,7 +983,9 @@ def u_username(username, v=None): listing = get_posts(ids, v=v) if u.unban_utc: - if request.headers.get("Authorization"): {"data": [x.json for x in listing]} + if request.headers.get("Authorization") or request.path.endswith(".json"): + return {"data": [x.json for x in listing]} + return render_template("userpage.html", unban=u.unban_string, u=u, @@ -985,7 +999,9 @@ def u_username(username, v=None): - if request.headers.get("Authorization"): return {"data": [x.json for x in listing]} + if request.headers.get("Authorization") or request.path.endswith(".json"): + return {"data": [x.json for x in listing]} + return render_template("userpage.html", u=u, v=v, @@ -998,12 +1014,16 @@ def u_username(username, v=None): @app.get("/@/comments") +@app.get("/@/comments.json") @app.get("/logged_out/@/comments") @auth_desired def u_username_comments(username, v=None): - if not v and not request.path.startswith('/logged_out'): return redirect(f"/logged_out{request.full_path.rstrip('?')}") - if v and request.path.startswith('/logged_out'): return redirect(request.full_path.replace('/logged_out','').rstrip('?')) + if not v and not request.path.startswith('/logged_out'): + return redirect(f"/logged_out{request.full_path.rstrip('?')}") + + if v and request.path.startswith('/logged_out'): + return redirect(request.full_path.replace('/logged_out','').rstrip('?')) user = get_user(username, v=v, rendered=True) @@ -1012,27 +1032,30 @@ def u_username_comments(username, v=None): else: is_following = (v and user.has_follower(v)) - if username != user.username: return redirect(f'/@{user.username}/comments') + if username != user.username: + return redirect(f'/@{user.username}/comments') u = user if u.reserved: - if request.headers.get("Authorization") or request.headers.get("xhr"): return {"error": f"That username is reserved for: {u.reserved}"} - return render_template("userpage_reserved.html", - u=u, - v=v) + if request.headers.get("Authorization") or request.headers.get("xhr") or request.path.endswith(".json"): + return {"error": f"That username is reserved for: {u.reserved}"}, 418 + return render_template("userpage_reserved.html", u=u, v=v) if u.is_private and (not v or (v.id != u.id and v.admin_level < 2 and not v.eye)): - if request.headers.get("Authorization") or request.headers.get("xhr"): return {"error": "That userpage is private"} + if request.headers.get("Authorization") or request.headers.get("xhr") or request.path.endswith(".json"): + return {"error": "That userpage is private"}, 403 return render_template("userpage_private.html", u=u, v=v) if v and hasattr(u, 'is_blocking') and u.is_blocking: - if request.headers.get("Authorization") or request.headers.get("xhr"): return {"error": f"You are blocking @{u.username}."} + if request.headers.get("Authorization") or request.headers.get("xhr") or request.path.endswith(".json"): + return {"error": f"You are blocking @{u.username}."}, 403 return render_template("userpage_blocking.html", u=u, v=v) if v and v.admin_level < 2 and hasattr(u, 'is_blocked') and u.is_blocked: - if request.headers.get("Authorization") or request.headers.get("xhr"): return {"error": "This person is blocking you."} + if request.headers.get("Authorization") or request.headers.get("xhr") or request.path.endswith(".json"): + return {"error": "This person is blocking you."}, 403 return render_template("userpage_blocked.html", u=u, v=v) @@ -1063,7 +1086,9 @@ def u_username_comments(username, v=None): listing = get_comments(ids, v=v) - if request.headers.get("Authorization"): return {"data": [c.json for c in listing]} + if request.headers.get("Authorization") or request.path.endswith(".json"): + return {"data": [c.json for c in listing]} + return render_template("userpage_comments.html", u=user, v=v, listing=listing, page=page, sort=sort, t=t,next_exists=next_exists, is_following=is_following, standalone=True)