gerudo
/
rDrama
forked from rDrama/rDrama
1
0
Fork 0
Code Pull Requests Activity

disallow permabanned-cels from all POST endpoints that require auth except /reply /contact /delete/post /delete/comment

master
Aevann 2023-09-14 19:49:46 +03:00
parent 61484f7fe1
commit f392c6bb9c
12 changed files with 42 additions and 51 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
files/routes/awards.py
View File

@ -138,7 +138,7 @@ def buy(v, award):
@limiter.limit('1/second', scope=rpath, key_func=get_ID)
@limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400)
@limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400, key_func=get_ID)
@is_not_permabanned
@auth_required
def award_thing(v, thing_type, id):
kind = request.values.get("kind", "").strip()

10
files/routes/chat.py
View File

@ -53,7 +53,7 @@ def is_not_banned_socketio(f):
wrapper.__name__ = f.__name__
return wrapper
def is_not_permabanned_socketio(f):
def auth_required_socketio(f):
def wrapper(*args, **kwargs):
v = get_logged_in_user()
if not v: return '', 401
@ -67,7 +67,7 @@ CHAT_ERROR_MESSAGE = f"To prevent spam, you'll need {TRUESCORE_CC_CHAT_MINIMUM}
@app.get("/chat")
@limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400)
@limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400, key_func=get_ID)
@is_not_permabanned
@auth_required
def chat(v):
if not v.allowed_in_chat:
abort(403, CHAT_ERROR_MESSAGE)
@ -83,7 +83,7 @@ def chat(v):
@app.get("/orgy")
@limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400)
@limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400, key_func=get_ID)
@is_not_permabanned
@auth_required
def orgy(v):
if not v.allowed_in_chat:
abort(403, CHAT_ERROR_MESSAGE)
@ -208,7 +208,7 @@ def refresh_online():
cache.set(CHAT_ONLINE_CACHE_KEY, len(online[key]), timeout=0)
@socketio.on('connect')
@is_not_permabanned_socketio
@auth_required_socketio
def connect(v):
if request.referrer not in ALLOWED_REFERRERS:
return '', 400
@ -231,7 +231,7 @@ def connect(v):
return '', 204
@socketio.on('disconnect')
@is_not_permabanned_socketio
@auth_required_socketio
def disconnect(v):
if request.referrer not in ALLOWED_REFERRERS:
return '', 400

2
files/routes/comments.py
View File

@ -630,7 +630,7 @@ def toggle_comment_nsfw(cid, v):
@limiter.limit('1/second', scope=rpath, key_func=get_ID)
@limiter.limit(DELETE_EDIT_RATELIMIT, deduct_when=lambda response: response.status_code < 400)
@limiter.limit(DELETE_EDIT_RATELIMIT, deduct_when=lambda response: response.status_code < 400, key_func=get_ID)
@is_not_permabanned
@auth_required
def edit_comment(cid, v):
c = get_comment(cid, v=v)

2
files/routes/groups.py
View File

@ -20,7 +20,7 @@ def ping_groups(v):
@limiter.limit('1/second', scope=rpath, key_func=get_ID)
@limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400)
@limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400, key_func=get_ID)
@is_not_permabanned
@auth_required
def create_group(v):
name = request.values.get('name')
if not name: abort(400)

4
files/routes/oauth.py
View File

@ -55,7 +55,7 @@ def rescind(v, aid):
@limiter.limit('1/second', scope=rpath, key_func=get_ID)
@limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400)
@limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400, key_func=get_ID)
@is_not_permabanned
@auth_required
def request_api_keys(v):
new_app = OauthApp(
app_name=request.values.get('name').replace('<','').replace('>',''),
@ -123,7 +123,7 @@ def delete_oauth_app(v, aid):
@limiter.limit('1/second', scope=rpath, key_func=get_ID)
@limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400)
@limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400, key_func=get_ID)
@is_not_permabanned
@auth_required
def edit_oauth_app(v, aid):
try:
aid = int(aid)

4
files/routes/polls.py
View File

@ -10,7 +10,7 @@ from files.__main__ import app
@limiter.limit('1/second', scope=rpath, key_func=get_ID)
@limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400)
@limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400, key_func=get_ID)
@is_not_permabanned
@auth_required
def vote_option(option_id, v):
try:
option_id = int(option_id)
@ -62,7 +62,7 @@ def vote_option(option_id, v):
@limiter.limit('1/second', scope=rpath, key_func=get_ID)
@limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400)
@limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400, key_func=get_ID)
@is_not_permabanned
@auth_required
def vote_option_comment(option_id, v):
try:
option_id = int(option_id)

2
files/routes/posts.py
View File

@ -978,7 +978,7 @@ def get_post_title(v):
@limiter.limit('1/second', scope=rpath, key_func=get_ID)
@limiter.limit(DELETE_EDIT_RATELIMIT, deduct_when=lambda response: response.status_code < 400)
@limiter.limit(DELETE_EDIT_RATELIMIT, deduct_when=lambda response: response.status_code < 400, key_func=get_ID)
@is_not_permabanned
@auth_required
def edit_post(pid, v):
p = get_post(pid)
if not v.can_edit(p): abort(403)

2
files/routes/settings.py
View File

@ -720,7 +720,7 @@ def settings_advanced_get(v):
@limiter.limit('1/second', scope=rpath, key_func=get_ID)
@limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400)
@limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400, key_func=get_ID)
@is_not_permabanned
@auth_required
def settings_name_change(v):
if SITE == 'rdrama.net' and v.id == 10489:
abort(403)

42
files/routes/subs.py
View File

@ -12,7 +12,7 @@ from files.__main__ import app, cache, limiter
@limiter.limit('1/second', scope=rpath, key_func=get_ID)
@limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400)
@limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400, key_func=get_ID)
@is_not_permabanned
@auth_required
def exile_post(v, pid):
if v.shadowbanned: abort(500)
p = get_post(pid)
@ -47,7 +47,7 @@ def exile_post(v, pid):
@limiter.limit('1/second', scope=rpath, key_func=get_ID)
@limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400)
@limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400, key_func=get_ID)
@is_not_permabanned
@auth_required
def exile_comment(v, cid):
if v.shadowbanned: abort(500)
c = get_comment(cid)
@ -82,7 +82,7 @@ def exile_comment(v, cid):
@limiter.limit('1/second', scope=rpath, key_func=get_ID)
@limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400)
@limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400, key_func=get_ID)
@is_not_permabanned
@auth_required
def unexile(v, sub, uid):
u = get_account(uid)
@ -266,7 +266,7 @@ def sub_followers(v, sub):
@limiter.limit('1/second', scope=rpath, key_func=get_ID)
@limiter.limit("30/day", deduct_when=lambda response: response.status_code < 400)
@limiter.limit("30/day", deduct_when=lambda response: response.status_code < 400, key_func=get_ID)
@is_not_permabanned
@auth_required
def add_mod(v, sub):
if SITE_NAME == 'WPD': abort(403)
sub = get_sub_by_name(sub).name
@ -306,7 +306,7 @@ def add_mod(v, sub):
@limiter.limit('1/second', scope=rpath, key_func=get_ID)
@limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400)
@limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400, key_func=get_ID)
@is_not_permabanned
@auth_required
def remove_mod(v, sub):
sub = get_sub_by_name(sub).name
@ -347,7 +347,7 @@ def remove_mod(v, sub):
@app.get("/create_hole")
@limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400)
@limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400, key_func=get_ID)
@is_not_permabanned
@auth_required
def create_sub(v):
if not v.can_create_hole:
abort(403)
@ -359,7 +359,7 @@ def create_sub(v):
@limiter.limit('1/second', scope=rpath, key_func=get_ID)
@limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400)
@limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400, key_func=get_ID)
@is_not_permabanned
@auth_required
def create_sub2(v):
if not v.can_create_hole:
abort(403)
@ -399,7 +399,7 @@ def create_sub2(v):
@limiter.limit('1/second', scope=rpath, key_func=get_ID)
@limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400)
@limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400, key_func=get_ID)
@is_not_permabanned
@auth_required
def kick(v, pid):
post = get_post(pid)
@ -432,7 +432,7 @@ def kick(v, pid):
@app.get('/h/<sub>/settings')
@limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400)
@limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400, key_func=get_ID)
@is_not_permabanned
@auth_required
def sub_settings(v, sub):
sub = get_sub_by_name(sub)
if not v.mods(sub.name): abort(403)
@ -444,7 +444,7 @@ def sub_settings(v, sub):
@limiter.limit('1/second', scope=rpath, key_func=get_ID)
@limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400)
@limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400, key_func=get_ID)
@is_not_permabanned
@auth_required
def post_sub_sidebar(v, sub):
sub = get_sub_by_name(sub)
if not v.mods(sub.name): abort(403)
@ -474,7 +474,7 @@ def post_sub_sidebar(v, sub):
@limiter.limit('1/second', scope=rpath, key_func=get_ID)
@limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400)
@limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400, key_func=get_ID)
@is_not_permabanned
@auth_required
def post_sub_css(v, sub):
sub = get_sub_by_name(sub)
css = request.values.get('css', '').strip()
@ -516,7 +516,7 @@ def get_sub_css(sub):
@limiter.limit('1/second', scope=rpath, key_func=get_ID)
@limiter.limit("50/day", deduct_when=lambda response: response.status_code < 400)
@limiter.limit("50/day", deduct_when=lambda response: response.status_code < 400, key_func=get_ID)
@is_not_permabanned
@auth_required
def upload_sub_banner(v, sub):
if g.is_tor: abort(403, "Image uploads are not allowed through Tor")
@ -546,7 +546,7 @@ def upload_sub_banner(v, sub):
@app.post("/h/<sub>/settings/banners/delete/<int:index>")
@limiter.limit("1/second;30/day", deduct_when=lambda response: response.status_code < 400)
@limiter.limit("1/second;30/day", deduct_when=lambda response: response.status_code < 400, key_func=get_ID)
@is_not_permabanned
@auth_required
def delete_sub_banner(v, sub, index):
sub = get_sub_by_name(sub)
if not v.mods(sub.name): abort(403)
@ -577,7 +577,7 @@ def delete_sub_banner(v, sub, index):
@app.post("/h/<sub>/settings/banners/delete_all")
@limiter.limit("1/10 second;30/day", deduct_when=lambda response: response.status_code < 400)
@limiter.limit("1/10 second;30/day", deduct_when=lambda response: response.status_code < 400, key_func=get_ID)
@is_not_permabanned
@auth_required
def delete_all_sub_banners(v, sub):
sub = get_sub_by_name(sub)
if not v.mods(sub.name): abort(403)
@ -605,7 +605,7 @@ def delete_all_sub_banners(v, sub):
@limiter.limit('1/second', scope=rpath, key_func=get_ID)
@limiter.limit("10/day", deduct_when=lambda response: response.status_code < 400)
@limiter.limit("10/day", deduct_when=lambda response: response.status_code < 400, key_func=get_ID)
@is_not_permabanned
@auth_required
def sub_sidebar(v, sub):
if g.is_tor: abort(403, "Image uploads are not allowed through TOR!")
@ -638,7 +638,7 @@ def sub_sidebar(v, sub):
@limiter.limit('1/second', scope=rpath, key_func=get_ID)
@limiter.limit("10/day", deduct_when=lambda response: response.status_code < 400)
@limiter.limit("10/day", deduct_when=lambda response: response.status_code < 400, key_func=get_ID)
@is_not_permabanned
@auth_required
def sub_marsey(v, sub):
if g.is_tor: abort(403, "Image uploads are not allowed through TOR!")
@ -681,7 +681,7 @@ def subs(v):
@limiter.limit('1/second', scope=rpath, key_func=get_ID)
@limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400)
@limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400, key_func=get_ID)
@is_not_permabanned
@auth_required
def hole_pin(v, pid):
p = get_post(pid)
@ -717,7 +717,7 @@ def hole_pin(v, pid):
@limiter.limit('1/second', scope=rpath, key_func=get_ID)
@limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400)
@limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400, key_func=get_ID)
@is_not_permabanned
@auth_required
def hole_unpin(v, pid):
p = get_post(pid)
@ -750,7 +750,7 @@ def hole_unpin(v, pid):
@limiter.limit('1/second', scope=rpath, key_func=get_ID)
@limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400)
@limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400, key_func=get_ID)
@is_not_permabanned
@auth_required
def sub_stealth(v, sub):
sub = get_sub_by_name(sub)
if sub.name in {'braincels','smuggies','mnn'} and v.admin_level < PERMS["MODS_EVERY_HOLE"]:
@ -786,7 +786,7 @@ def sub_stealth(v, sub):
@limiter.limit('1/second', scope=rpath, key_func=get_ID)
@limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400)
@limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400, key_func=get_ID)
@is_not_permabanned
@auth_required
def pin_comment_mod(cid, v):
comment = get_comment(cid, v=v)
@ -817,7 +817,7 @@ def pin_comment_mod(cid, v):
@limiter.limit('1/second', scope=rpath, key_func=get_ID)
@limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400)
@limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400, key_func=get_ID)
@is_not_permabanned
@auth_required
def unpin_comment_mod(cid, v):
comment = get_comment(cid, v=v)

6
files/routes/users.py
View File

@ -467,7 +467,7 @@ def get_coins(v, username):
@limiter.limit('1/second', scope=rpath, key_func=get_ID)
@limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400)
@limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400, key_func=get_ID)
@is_not_permabanned
@auth_required
def transfer_coins(v, username):
return transfer_currency(v, username, 'coins', True)
@ -477,7 +477,7 @@ def transfer_coins(v, username):
@limiter.limit('1/second', scope=rpath, key_func=get_ID)
@limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400)
@limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400, key_func=get_ID)
@is_not_permabanned
@auth_required
def transfer_bux(v, username):
return transfer_currency(v, username, 'marseybux', False)
@ -613,7 +613,7 @@ def unsubscribe(v, post_id):
@limiter.limit('1/second', scope=rpath, key_func=get_ID)
@limiter.limit("10/minute;20/hour;50/day", deduct_when=lambda response: response.status_code < 400)
@limiter.limit("10/minute;20/hour;50/day", deduct_when=lambda response: response.status_code < 400, key_func=get_ID)
@is_not_permabanned
@auth_required
def message2(v, username=None, id=None):
if id:
user = get_account(id, v=v, include_blocks=True)

4
files/routes/votes.py
View File

@ -224,7 +224,7 @@ def vote_info_get(v, link):
@limiter.limit('1/second', scope=rpath, key_func=get_ID)
@limiter.limit("60/minute;1000/hour;2000/day", deduct_when=lambda response: response.status_code < 400)
@limiter.limit("60/minute;1000/hour;2000/day", deduct_when=lambda response: response.status_code < 400, key_func=get_ID)
@is_not_permabanned
@auth_required
def vote_post(post_id, new, v):
return vote_post_comment(post_id, new, v, Post, Vote)
@ -233,6 +233,6 @@ def vote_post(post_id, new, v):
@limiter.limit('1/second', scope=rpath, key_func=get_ID)
@limiter.limit("60/minute;1000/hour;2000/day", deduct_when=lambda response: response.status_code < 400)
@limiter.limit("60/minute;1000/hour;2000/day", deduct_when=lambda response: response.status_code < 400, key_func=get_ID)
@is_not_permabanned
@auth_required
def vote_comment(comment_id, new, v):
return vote_post_comment(comment_id, new, v, Comment, CommentVote)

13
files/routes/wrappers.py
View File

@ -139,6 +139,8 @@ def auth_required(f):
v = get_logged_in_user()
if not v:
abort(401, "You need to login to perform this action!")
if v.is_permabanned and request.method == "POST" and request.path not in {'/contact','/reply'} and not request.path.startswith('/delete/'):
abort(403, "You can't perform this action while permabanned!")
return make_response(f(*args, v=v, **kwargs))
wrapper.__name__ = f.__name__
return wrapper
@ -154,17 +156,6 @@ def is_not_banned(f):
wrapper.__name__ = f.__name__
return wrapper
def is_not_permabanned(f):
def wrapper(*args, **kwargs):
v = get_logged_in_user()
if not v:
abort(401, "You need to login to perform this action!")
if v.is_permabanned:
abort(403, "You can't perform this action while permabanned!")
return make_response(f(*args, v=v, **kwargs))
wrapper.__name__ = f.__name__
return wrapper
def admin_level_required(x):
def wrapper_maker(f):
def wrapper(*args, **kwargs):