From 12d7cfaa6c82f3581b7726eab980f21837c751b9 Mon Sep 17 00:00:00 2001
From: TLSM <duolsm@outlook.com>
Date: Thu, 11 Aug 2022 20:12:35 -0400
Subject: [PATCH] Verify admin level before editing others' posts.

Yes, it has been possible for any user to edit any post on the site,
their own or otherwise. Only have to generate the POST /edit_post/
manually: an example exploit was created and tested successfully
prior to patching. However, abuse of this vulnerability would have
generated edit_post modlog entries, the lack of which on prod suggest
it was not abused that we know of -- Lord knows how.
---
 files/routes/posts.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/files/routes/posts.py b/files/routes/posts.py
index da071eac3..b8fccc3a1 100644
--- a/files/routes/posts.py
+++ b/files/routes/posts.py
@@ -396,6 +396,9 @@ def edit_post(pid, v):
 
 	body = body.replace('\r\n', '\n')[:20000]
 
+	if v.id != p.author_id and v.admin_level < 2:
+		abort(403)
+
 	if v.id == p.author_id:
 		if v.longpost and (len(body) < 280 or ' [](' in body or body.startswith('[](')):
 			return {"error":"You have to type more than 280 characters!"}, 403