From 13173376a411a142cc0fd8b4a70edc3923b954ae Mon Sep 17 00:00:00 2001
From: Aevann <randomname42029@gmail.com>
Date: Sat, 5 Aug 2023 19:03:14 +0300
Subject: [PATCH] use usernames instead of ids in GET urls visible to users
 whenever u can

---
 files/helpers/get.py                 |  7 ++-
 files/routes/users.py                | 64 +++++++++++++---------------
 files/templates/userpage/voters.html |  4 +-
 3 files changed, 37 insertions(+), 38 deletions(-)

diff --git a/files/helpers/get.py b/files/helpers/get.py
index e413c056a..7231729d2 100644
--- a/files/helpers/get.py
+++ b/files/helpers/get.py
@@ -1,7 +1,7 @@
 
 from flask import *
 from sqlalchemy import and_, any_, or_
-from sqlalchemy.orm import joinedload, Query
+from sqlalchemy.orm import joinedload, Query, load_only
 
 from files.classes import Comment, CommentVote, Hat, Sub, Post, User, UserBlock, Vote
 from files.helpers.config.const import *
@@ -32,7 +32,7 @@ def get_id(username, graceful=False):
 
 	return user[0]
 
-def get_user(username, v=None, graceful=False, include_blocks=False):
+def get_user(username, v=None, graceful=False, include_blocks=False, id_only=False):
 	if not username:
 		if graceful: return None
 		abort(404)
@@ -51,6 +51,9 @@ def get_user(username, v=None, graceful=False, include_blocks=False):
 			)
 		)
 
+	if id_only:
+		user = user.options(load_only(User.id))
+
 	user = user.one_or_none()
 
 	if not user:
diff --git a/files/routes/users.py b/files/routes/users.py
index ca4afcfdb..a28e09820 100644
--- a/files/routes/users.py
+++ b/files/routes/users.py
@@ -142,15 +142,13 @@ def transfer_currency(v, username, currency_name, apply_tax):
 	g.db.add(v)
 	return {"message": f"{amount - tax} {currency_name} have been transferred to @{receiver.username}"}
 
-def upvoters_downvoters(v, username, uid, cls, vote_cls, vote_dir, template, standalone):
+def upvoters_downvoters(v, username, username2, cls, vote_cls, vote_dir, template, standalone):
 	u = get_user(username, v=v)
 	if not u.is_visible_to(v): abort(403)
 	if not (v.id == u.id or v.admin_level >= PERMS['USER_VOTERS_VISIBLE']): abort(403)
 	id = u.id
-	try:
-		uid = int(uid)
-	except:
-		abort(404)
+	
+	uid = get_user(username2, id_only=True).id
 
 	page = get_page()
 
@@ -177,46 +175,44 @@ def upvoters_downvoters(v, username, uid, cls, vote_cls, vote_dir, template, sta
 
 	return render_template(template, total=total, listing=listing, page=page, v=v, standalone=standalone)
 
-@app.get("/@<username>/upvoters/<int:uid>/posts")
+@app.get("/@<username>/upvoters/@<username2>/posts")
 @limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400)
 @limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400, key_func=get_ID)
 @auth_required
-def upvoters_posts(v, username, uid):
-	return upvoters_downvoters(v, username, uid, Post, Vote, 1, "userpage/voted_posts.html", None)
+def upvoters_posts(v, username, username2):
+	return upvoters_downvoters(v, username, username2, Post, Vote, 1, "userpage/voted_posts.html", None)
 
 
-@app.get("/@<username>/upvoters/<int:uid>/comments")
+@app.get("/@<username>/upvoters/@<username2>/comments")
 @limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400)
 @limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400, key_func=get_ID)
 @auth_required
-def upvoters_comments(v, username, uid):
-	return upvoters_downvoters(v, username, uid, Comment, CommentVote, 1, "userpage/voted_comments.html", True)
+def upvoters_comments(v, username, username2):
+	return upvoters_downvoters(v, username, username2, Comment, CommentVote, 1, "userpage/voted_comments.html", True)
 
 
-@app.get("/@<username>/downvoters/<int:uid>/posts")
+@app.get("/@<username>/downvoters/@<username2>/posts")
 @limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400)
 @limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400, key_func=get_ID)
 @auth_required
-def downvoters_posts(v, username, uid):
-	return upvoters_downvoters(v, username, uid, Post, Vote, -1, "userpage/voted_posts.html", None)
+def downvoters_posts(v, username, username2):
+	return upvoters_downvoters(v, username, username2, Post, Vote, -1, "userpage/voted_posts.html", None)
 
 
-@app.get("/@<username>/downvoters/<int:uid>/comments")
+@app.get("/@<username>/downvoters/@<username2>/comments")
 @limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400)
 @limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400, key_func=get_ID)
 @auth_required
-def downvoters_comments(v, username, uid):
-	return upvoters_downvoters(v, username, uid, Comment, CommentVote, -1, "userpage/voted_comments.html", True)
+def downvoters_comments(v, username, username2):
+	return upvoters_downvoters(v, username, username2, Comment, CommentVote, -1, "userpage/voted_comments.html", True)
 
-def upvoting_downvoting(v, username, uid, cls, vote_cls, vote_dir, template, standalone):
+def upvoting_downvoting(v, username, username2, cls, vote_cls, vote_dir, template, standalone):
 	u = get_user(username, v=v)
 	if not u.is_visible_to(v): abort(403)
 	if not (v.id == u.id or v.admin_level >= PERMS['USER_VOTERS_VISIBLE']): abort(403)
 	id = u.id
-	try:
-		uid = int(uid)
-	except:
-		abort(404)
+
+	uid = get_user(username2, id_only=True).id
 
 	page = get_page()
 
@@ -243,36 +239,36 @@ def upvoting_downvoting(v, username, uid, cls, vote_cls, vote_dir, template, sta
 
 	return render_template(template, total=total, listing=listing, page=page, v=v, standalone=standalone)
 
-@app.get("/@<username>/upvoting/<int:uid>/posts")
+@app.get("/@<username>/upvoting/@<username2>/posts")
 @limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400)
 @limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400, key_func=get_ID)
 @auth_required
-def upvoting_posts(v, username, uid):
-	return upvoting_downvoting(v, username, uid, Post, Vote, 1, "userpage/voted_posts.html", None)
+def upvoting_posts(v, username, username2):
+	return upvoting_downvoting(v, username, username2, Post, Vote, 1, "userpage/voted_posts.html", None)
 
 
-@app.get("/@<username>/upvoting/<int:uid>/comments")
+@app.get("/@<username>/upvoting/@<username2>/comments")
 @limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400)
 @limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400, key_func=get_ID)
 @auth_required
-def upvoting_comments(v, username, uid):
-	return upvoting_downvoting(v, username, uid, Comment, CommentVote, 1, "userpage/voted_comments.html", True)
+def upvoting_comments(v, username, username2):
+	return upvoting_downvoting(v, username, username2, Comment, CommentVote, 1, "userpage/voted_comments.html", True)
 
 
-@app.get("/@<username>/downvoting/<int:uid>/posts")
+@app.get("/@<username>/downvoting/@<username2>/posts")
 @limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400)
 @limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400, key_func=get_ID)
 @auth_required
-def downvoting_posts(v, username, uid):
-	return upvoting_downvoting(v, username, uid, Post, Vote, -1, "userpage/voted_posts.html", None)
+def downvoting_posts(v, username, username2):
+	return upvoting_downvoting(v, username, username2, Post, Vote, -1, "userpage/voted_posts.html", None)
 
 
-@app.get("/@<username>/downvoting/<int:uid>/comments")
+@app.get("/@<username>/downvoting/@<username2>/comments")
 @limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400)
 @limiter.limit(DEFAULT_RATELIMIT, deduct_when=lambda response: response.status_code < 400, key_func=get_ID)
 @auth_required
-def downvoting_comments(v, username, uid):
-	return upvoting_downvoting(v, username, uid, Comment, CommentVote, -1, "userpage/voted_comments.html", True)
+def downvoting_comments(v, username, username2):
+	return upvoting_downvoting(v, username, username2, Comment, CommentVote, -1, "userpage/voted_comments.html", True)
 
 def user_voted(v, username, cls, vote_cls, template, standalone):
 	u = get_user(username, v=v)
diff --git a/files/templates/userpage/voters.html b/files/templates/userpage/voters.html
index f9e346131..1750c8c91 100644
--- a/files/templates/userpage/voters.html
+++ b/files/templates/userpage/voters.html
@@ -16,7 +16,7 @@
 	<tr {% if v.id == user.id %}class="self"{% endif %}>
 		<td>{{loop.index+PAGE_SIZE*(page-1)}}</td>
 		<td>{% include "user_in_table.html" %}</td>
-		<td><a href="{{request.path}}/{{user.id}}/posts">{{num}}</a></td>
+		<td><a href="{{request.path}}/@{{user.username}}/posts">{{num}}</a></td>
 	</tr>
 {% endfor %}
 {% if pos and (pos[0] > 25 or not pos[1]) %}
@@ -27,7 +27,7 @@
 				{% include "user_in_table.html" %}
 			{% endwith %}
 		</td>
-		<td><a href="{{request.path}}/{{v.id}}/posts">{{pos[1]}}</a></td>
+		<td><a href="{{request.path}}/@{{v.username}}/posts">{{pos[1]}}</a></td>
 	</tr>
 {% endif %}
 </tbody>