From 7ff30337f5ec707f92f70230df3a8b21bf48051f Mon Sep 17 00:00:00 2001 From: Aevann Date: Sun, 29 Oct 2023 17:30:54 +0300 Subject: [PATCH] dont allow subscribing to own post (not hidden in HTML in order to show num of subscribers) --- files/routes/users.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/files/routes/users.py b/files/routes/users.py index 544642e16..345e0e327 100644 --- a/files/routes/users.py +++ b/files/routes/users.py @@ -580,6 +580,10 @@ def get_profilecss(username): @limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400, key_func=get_ID) @auth_required def subscribe(v, post_id): + p = get_post(post_id) + if v.id == p.author_id: + abort(403, "You can't subscribe to your own posts!") + existing = g.db.query(Subscription).filter_by(user_id=v.id, post_id=post_id).one_or_none() if not existing: new_sub = Subscription(user_id=v.id, post_id=post_id)