From edca73723a4f6d76552537fe53645c6d0695887d Mon Sep 17 00:00:00 2001 From: Aevann1 Date: Thu, 9 Dec 2021 23:21:52 +0200 Subject: [PATCH 01/11] sfdsfd --- files/mail/__init__.py | 1 + files/routes/admin.py | 12 +++++ files/routes/awards.py | 3 ++ files/routes/front.py | 17 ++++--- files/routes/oauth.py | 2 + files/routes/reporting.py | 2 + files/routes/settings.py | 8 ++- files/routes/static.py | 1 + files/routes/users.py | 11 ++++ files/routes/votes.py | 1 + files/templates/changelog.html | 2 +- files/templates/comments.html | 2 +- files/templates/default.html | 2 +- files/templates/header.html | 2 +- files/templates/settings_blocks.html | 6 ++- files/templates/settings_profile.html | 4 ++ files/templates/submission.html | 4 +- files/templates/userpage.html | 73 ++++----------------------- files/templates/userpage_private.html | 1 - 19 files changed, 75 insertions(+), 79 deletions(-) diff --git a/files/mail/__init__.py b/files/mail/__init__.py index 1bc255a4e..36d753da8 100644 --- a/files/mail/__init__.py +++ b/files/mail/__init__.py @@ -43,6 +43,7 @@ def send_verification_email(user, email=None): @app.post("/verify_email") @limiter.limit("1/second") @auth_required +@validate_formkey def api_verify_email(v): send_verification_email(v) diff --git a/files/routes/admin.py b/files/routes/admin.py index 10ec84ddb..653bc5c9c 100644 --- a/files/routes/admin.py +++ b/files/routes/admin.py @@ -36,6 +36,7 @@ def truescore(v): @app.post("/@/revert_actions") @limiter.limit("1/second") @admin_level_required(2) +@validate_formkey def revert_actions(v, username): if 'pcm' in request.host or (SITE_NAME == 'Drama' and v.admin_level > 2) or ('rama' not in request.host and 'pcm' not in request.host): user = get_user(username) @@ -61,6 +62,7 @@ def revert_actions(v, username): @app.post("/@/club_allow") @limiter.limit("1/second") @admin_level_required(2) +@validate_formkey def club_allow(v, username): u = get_user(username, v=v) @@ -84,6 +86,7 @@ def club_allow(v, username): @app.post("/@/club_ban") @limiter.limit("1/second") @admin_level_required(2) +@validate_formkey def club_ban(v, username): u = get_user(username, v=v) @@ -107,6 +110,7 @@ def club_ban(v, username): @app.post("/@/make_admin") @limiter.limit("1/second") @admin_level_required(2) +@validate_formkey def make_admin(v, username): if 'pcm' in request.host or (SITE_NAME == 'Drama' and v.admin_level > 2) or ('rama' not in request.host and 'pcm' not in request.host): user = get_user(username) @@ -120,6 +124,7 @@ def make_admin(v, username): @app.post("/@/remove_admin") @limiter.limit("1/second") @admin_level_required(2) +@validate_formkey def remove_admin(v, username): if 'pcm' in request.host or (SITE_NAME == 'Drama' and v.admin_level > 2) or ('rama' not in request.host and 'pcm' not in request.host): user = get_user(username) @@ -133,6 +138,7 @@ def remove_admin(v, username): @app.post("/@/make_meme_admin") @limiter.limit("1/second") @admin_level_required(2) +@validate_formkey def make_meme_admin(v, username): if 'pcm' in request.host or (SITE_NAME == 'Drama' and v.admin_level > 2) or ('rama' not in request.host and 'pcm' not in request.host): user = get_user(username) @@ -146,6 +152,7 @@ def make_meme_admin(v, username): @app.post("/@/remove_meme_admin") @limiter.limit("1/second") @admin_level_required(2) +@validate_formkey def remove_meme_admin(v, username): if 'pcm' in request.host or (SITE_NAME == 'Drama' and v.admin_level > 2) or ('rama' not in request.host and 'pcm' not in request.host): user = get_user(username) @@ -159,6 +166,7 @@ def remove_meme_admin(v, username): @app.post("/admin/monthly") @limiter.limit("1/day") @admin_level_required(2) +@validate_formkey def monthly(v): if 'pcm' in request.host or (SITE_NAME == 'Drama' and v.admin_level > 2) or ('rama' not in request.host and 'pcm' not in request.host): thing = g.db.query(AwardRelationship).order_by(AwardRelationship.id.desc()).first().id @@ -930,6 +938,7 @@ def api_distinguish_post(post_id, v): @app.post("/sticky/") @admin_level_required(2) +@validate_formkey def api_sticky_post(post_id, v): post = g.db.query(Submission).filter_by(id=post_id).first() @@ -965,6 +974,7 @@ def api_sticky_post(post_id, v): @app.post("/ban_comment/") @limiter.limit("1/second") @admin_level_required(1) +@validate_formkey def api_ban_comment(c_id, v): comment = g.db.query(Comment).filter_by(id=c_id).first() @@ -989,6 +999,7 @@ def api_ban_comment(c_id, v): @app.post("/unban_comment/") @limiter.limit("1/second") @admin_level_required(1) +@validate_formkey def api_unban_comment(c_id, v): comment = g.db.query(Comment).filter_by(id=c_id).first() @@ -1013,6 +1024,7 @@ def api_unban_comment(c_id, v): @app.post("/distinguish_comment/") @admin_level_required(1) +@validate_formkey def admin_distinguish_comment(c_id, v): diff --git a/files/routes/awards.py b/files/routes/awards.py index 5d9bf980e..f0fbae702 100644 --- a/files/routes/awards.py +++ b/files/routes/awards.py @@ -234,6 +234,7 @@ def shop(v): @app.post("/buy/") @auth_required +@validate_formkey def buy(v, award): AWARDS = { "shit": { @@ -446,6 +447,7 @@ def buy(v, award): @app.post("/post//awards") @limiter.limit("1/second") @auth_required +@validate_formkey def award_post(pid, v): if v.shadowbanned: return render_template('errors/500.html', v=v), 500 @@ -603,6 +605,7 @@ def award_post(pid, v): @app.post("/comment//awards") @limiter.limit("1/second") @auth_required +@validate_formkey def award_comment(cid, v): if v.shadowbanned: return render_template('errors/500.html', v=v), 500 diff --git a/files/routes/front.py b/files/routes/front.py index 2bd50296e..25e0a812b 100644 --- a/files/routes/front.py +++ b/files/routes/front.py @@ -13,6 +13,7 @@ def slash_post(): @app.post("/clear") @auth_required +@validate_formkey def clear(v): for n in v.notifications.filter_by(read=False).all(): n.read = True @@ -210,7 +211,8 @@ def frontlist(v=None, sort="hot", page=1, t="all", ids_only=True, filter_words=' posts = posts.filter(Submission.created_utc >= cutoff) else: cutoff = 0 - posts = posts.filter_by(is_banned=False, stickied=None, private=False, deleted_utc = 0) + if sort == "new": posts = posts.filter_by(is_banned=False, private=False, deleted_utc = 0) + else: posts = posts.filter_by(is_banned=False, stickied=None, private=False, deleted_utc = 0) if v and v.admin_level == 0: blocking = [x[0] for x in g.db.query( @@ -263,13 +265,14 @@ def frontlist(v=None, sort="hot", page=1, t="all", ids_only=True, filter_words=' posts = posts[:size] - pins = g.db.query(Submission).filter(Submission.stickied != None, Submission.is_banned == False) - if v and v.admin_level == 0: - blocking = [x[0] for x in g.db.query(UserBlock.target_id).filter_by(user_id=v.id).all()] - blocked = [x[0] for x in g.db.query(UserBlock.user_id).filter_by(target_id=v.id).all()] - pins = pins.filter(Submission.author_id.notin_(blocking), Submission.author_id.notin_(blocked)) + if sort != "new": + pins = g.db.query(Submission).filter(Submission.stickied != None, Submission.is_banned == False) + if v and v.admin_level == 0: + blocking = [x[0] for x in g.db.query(UserBlock.target_id).filter_by(user_id=v.id).all()] + blocked = [x[0] for x in g.db.query(UserBlock.user_id).filter_by(target_id=v.id).all()] + pins = pins.filter(Submission.author_id.notin_(blocking), Submission.author_id.notin_(blocked)) - if page == 1 and not gt and not lt: posts = pins.all() + posts + if sort != "new" and page == 1 and not gt and not lt: posts = pins.all() + posts if ids_only: posts = [x.id for x in posts] diff --git a/files/routes/oauth.py b/files/routes/oauth.py index fae4ecb0a..ef7edb4d1 100644 --- a/files/routes/oauth.py +++ b/files/routes/oauth.py @@ -38,6 +38,7 @@ def authorize(v): @app.post("/api_keys") @limiter.limit("1/second") @is_not_banned +@validate_formkey def request_api_keys(v): new_app = OauthApp( @@ -253,6 +254,7 @@ def admin_apps_list(v): @app.post("/oauth/reroll/") @limiter.limit("1/second") @auth_required +@validate_formkey def reroll_oauth_tokens(aid, v): aid = aid diff --git a/files/routes/reporting.py b/files/routes/reporting.py index 2cc2b3763..37b39bb5a 100644 --- a/files/routes/reporting.py +++ b/files/routes/reporting.py @@ -8,6 +8,7 @@ from files.helpers.sanitize import filter_emojis_only @app.post("/report/post/") @limiter.limit("1/second") @auth_required +@validate_formkey def api_flag_post(pid, v): post = get_post(pid) @@ -38,6 +39,7 @@ def api_flag_post(pid, v): @app.post("/report/comment/") @limiter.limit("1/second") @auth_required +@validate_formkey def api_flag_comment(cid, v): comment = get_comment(cid) diff --git a/files/routes/settings.py b/files/routes/settings.py index 06c6a9ae9..0d01fbfe8 100644 --- a/files/routes/settings.py +++ b/files/routes/settings.py @@ -34,6 +34,7 @@ tiers={ @app.post("/settings/removebackground") @limiter.limit("1/second") @auth_required +@validate_formkey def removebackground(v): v.background = None g.db.add(v) @@ -439,6 +440,7 @@ def settings_profile_post(v): @app.post("/settings/filters") @auth_required +@validate_formkey def filters(v): filters=request.values.get("filters")[:1000].strip() @@ -810,6 +812,7 @@ def settings_css_get(v): @app.post("/settings/css") @limiter.limit("1/second") @auth_required +@validate_formkey def settings_css(v): css = request.values.get("css").strip().replace('\\', '').strip()[:4000] @@ -826,14 +829,15 @@ def settings_css(v): @auth_required def settings_profilecss_get(v): - if v.truecoins < 1000 and not v.patron and v.admin_level == 0 : return f"You must have +1000 {COINS_NAME} or be a patron to set profile css." + if v.truecoins < 1000 and not v.patron and v.admin_level == 0 : return f"You must have +1000 {COINS_NAME} or be a paypig to set profile css." return render_template("settings_profilecss.html", v=v) @app.post("/settings/profilecss") @limiter.limit("1/second") @auth_required +@validate_formkey def settings_profilecss(v): - if v.truecoins < 1000 and not v.patron: return f"You must have +1000 {COINS_NAME} or be a patron to set profile css." + if v.truecoins < 1000 and not v.patron: return f"You must have +1000 {COINS_NAME} or be a paypig to set profile css." profilecss = request.values.get("profilecss").strip().replace('\\', '').strip()[:4000] v.profilecss = profilecss g.db.add(v) diff --git a/files/routes/static.py b/files/routes/static.py index 6b5f2f4de..58b13a41f 100644 --- a/files/routes/static.py +++ b/files/routes/static.py @@ -230,6 +230,7 @@ def contact(v): @app.post("/contact") @limiter.limit("1/second") @auth_required +@validate_formkey def submit_contact(v): message = f'This message has been sent automatically to all admins via https://{site}/contact, user email is "{v.email}"\n\nMessage:\n\n' + request.values.get("message", "") send_admin(v.id, message) diff --git a/files/routes/users.py b/files/routes/users.py index 46e5e9a68..16be0d6d4 100644 --- a/files/routes/users.py +++ b/files/routes/users.py @@ -97,6 +97,7 @@ def downvoting(v, username): @app.post("/pay_rent") @limiter.limit("1/second") @auth_required +@validate_formkey def pay_rent(v): if v.coins < 500: return "You must have more than 500 coins." v.coins -= 500 @@ -113,6 +114,7 @@ def pay_rent(v): @app.post("/steal") @limiter.limit("1/second") @is_not_banned +@validate_formkey def steal(v): if int(time.time()) - v.created_utc < 604800: return "You must have an account older than 1 week in order to attempt stealing." @@ -167,6 +169,7 @@ def thiefs(v): @app.post("/@/suicide") @limiter.limit("1/second") @auth_required +@validate_formkey def suicide(v, username): t = int(time.time()) if v.admin_level == 0 and t - v.suicide_utc < 86400: return {"message": "You're on 1-day cooldown!"} @@ -312,6 +315,7 @@ def song(song): @app.post("/subscribe/") @limiter.limit("1/second") @auth_required +@validate_formkey def subscribe(v, post_id): new_sub = Subscription(user_id=v.id, submission_id=post_id) g.db.add(new_sub) @@ -321,6 +325,7 @@ def subscribe(v, post_id): @app.post("/unsubscribe/") @limiter.limit("1/second") @auth_required +@validate_formkey def unsubscribe(v, post_id): sub=g.db.query(Subscription).filter_by(user_id=v.id, submission_id=post_id).first() if sub: @@ -337,6 +342,7 @@ def reportbugs(v): @limiter.limit("1/second") @limiter.limit("10/hour") @auth_required +@validate_formkey def message2(v, username): user = get_user(username, v=v) @@ -400,6 +406,7 @@ def message2(v, username): @limiter.limit("1/second") @limiter.limit("6/minute") @auth_required +@validate_formkey def messagereply(v): message = request.values.get("body", "").strip()[:1000].strip() @@ -727,6 +734,7 @@ def u_username_info(username, v=None): @app.post("/follow/") @limiter.limit("1/second") @auth_required +@validate_formkey def follow_user(username, v): target = get_user(username) @@ -752,6 +760,7 @@ def follow_user(username, v): @app.post("/unfollow/") @limiter.limit("1/second") @auth_required +@validate_formkey def unfollow_user(username, v): target = get_user(username) @@ -778,6 +787,7 @@ def unfollow_user(username, v): @app.post("/remove_follow/") @limiter.limit("1/second") @auth_required +@validate_formkey def remove_follow(username, v): target = get_user(username) @@ -869,6 +879,7 @@ def saved_comments(v, username): @app.post("/fp/") @auth_required +@validate_formkey def fp(v, fp): if v.username != fp: v.fp = fp diff --git a/files/routes/votes.py b/files/routes/votes.py index a03e16ca0..32201e980 100644 --- a/files/routes/votes.py +++ b/files/routes/votes.py @@ -196,6 +196,7 @@ def api_vote_comment(comment_id, new, v): @app.post("/vote/poll/") @auth_required +@validate_formkey def api_vote_poll(comment_id, v): vote = request.values.get("vote") diff --git a/files/templates/changelog.html b/files/templates/changelog.html index 0e711b6db..6884eeb6d 100644 --- a/files/templates/changelog.html +++ b/files/templates/changelog.html @@ -102,6 +102,6 @@ {% endif %} - + {% endblock %} \ No newline at end of file diff --git a/files/templates/comments.html b/files/templates/comments.html index edfb51e1b..28b296911 100644 --- a/files/templates/comments.html +++ b/files/templates/comments.html @@ -749,7 +749,7 @@ {% if v %} - + {% endif %} diff --git a/files/templates/default.html b/files/templates/default.html index e9177d005..50ffa701d 100644 --- a/files/templates/default.html +++ b/files/templates/default.html @@ -287,7 +287,7 @@ {% if v %} - + {% endif %} diff --git a/files/templates/header.html b/files/templates/header.html index 912e2ed70..0fb96a491 100644 --- a/files/templates/header.html +++ b/files/templates/header.html @@ -213,7 +213,7 @@ - +