move ratelimit_user after auth

files/routes/comments.py

@@ -81,8 +81,8 @@ def post_pid_comment_cid(cid, pid=None, anything=None, v=None, sub=None):
 
 @app.post("/comment")
 @limiter.limit("1/second;20/minute;200/hour;1000/day")
-@ratelimit_user("1/second;20/minute;200/hour;1000/day")
 @auth_required
+@ratelimit_user("1/second;20/minute;200/hour;1000/day")
 def comment(v):
 	if v.is_suspended: abort(403, "You can't perform this action while banned.")
 
@@ -368,8 +368,8 @@ def comment(v):
 
 @app.post("/edit_comment/<cid>")
 @limiter.limit("1/second;10/minute;100/hour;200/day")
-@ratelimit_user("1/second;10/minute;100/hour;200/day")
 @is_not_permabanned
+@ratelimit_user("1/second;10/minute;100/hour;200/day")
 def edit_comment(cid, v):
 	c = get_comment(cid, v=v)
 

files/routes/posts.py

@@ -310,8 +310,8 @@ def morecomments(v, cid):
 
 @app.post("/edit_post/<pid>")
 @limiter.limit("1/second;10/minute;100/hour;200/day")
-@ratelimit_user("1/second;10/minute;100/hour;200/day")
 @is_not_permabanned
+@ratelimit_user("1/second;10/minute;100/hour;200/day")
 def edit_post(pid, v):
 	p = get_post(pid)
 	if v.id != p.author_id and v.admin_level < PERMS['POST_EDITING']:
@@ -1072,8 +1072,8 @@ extensions = IMAGE_FORMATS + VIDEO_FORMATS + AUDIO_FORMATS
 
 @app.get("/submit/title")
 @limiter.limit("3/minute")
-@ratelimit_user("3/minute")
 @auth_required
+@ratelimit_user("3/minute")
 def get_post_title(v):
 	POST_TITLE_TIMEOUT = 5
 	url = request.values.get("url")

files/routes/settings.py

@@ -581,8 +581,8 @@ def settings_security(v):
 
 @app.post("/settings/block")
 @limiter.limit("1/second;20/day")
-@ratelimit_user("1/second;20/day")
 @auth_required
+@ratelimit_user("1/second;20/day")
 def settings_block_user(v):
 	user = get_user(request.values.get("username"), graceful=True)
 	if not user: abort(404, "This user doesn't exist.")
@@ -671,8 +671,8 @@ def settings_name_change(v):
 @app.post("/settings/song_change_mp3")
 @feature_required('USERS_PROFILE_SONG')
 @limiter.limit("3/second;10/day")
-@ratelimit_user("3/second;10/day")
 @auth_required
+@ratelimit_user("3/second;10/day")
 def settings_song_change_mp3(v):
 	file = request.files['file']
 	if file.content_type != 'audio/mpeg':
@@ -699,8 +699,8 @@ def settings_song_change_mp3(v):
 @app.post("/settings/song_change")
 @feature_required('USERS_PROFILE_SONG')
 @limiter.limit("3/second;10/day")
-@ratelimit_user("3/second;10/day")
 @auth_required
+@ratelimit_user("3/second;10/day")
 def settings_song_change(v):
 	song=request.values.get("song").strip()
 

files/routes/static.py

@@ -208,8 +208,8 @@ def contact(v):
 
 @app.post("/send_admin")
 @limiter.limit("1/second;1/2 minutes;10/day")
-@ratelimit_user("1/second;1/2 minutes;10/day")
 @auth_required
+@ratelimit_user("1/second;1/2 minutes;10/day")
 def submit_contact(v):
 	body = request.values.get("message")
 	if not body: abort(400)

files/routes/subs.py

@@ -232,8 +232,8 @@ def sub_followers(v, sub):
 
 @app.post("/h/<sub>/add_mod")
 @limiter.limit("1/second;30/day")
-@ratelimit_user("1/second;30/day")
 @is_not_permabanned
+@ratelimit_user("1/second;30/day")
 def add_mod(v, sub):
 	if SITE_NAME == 'WPD': abort(403)
 	sub = get_sub_by_name(sub).name
@@ -457,8 +457,8 @@ def get_sub_css(sub):
 
 @app.post("/h/<sub>/banner")
 @limiter.limit("1/second;10/day")
-@ratelimit_user("1/second;10/day")
 @is_not_permabanned
+@ratelimit_user("1/second;10/day")
 def sub_banner(v, sub):
 	if g.is_tor: abort(403, "Image uploads are not allowed through TOR.")
 
@@ -490,8 +490,8 @@ def sub_banner(v, sub):
 
 @app.post("/h/<sub>/sidebar_image")
 @limiter.limit("1/second;10/day")
-@ratelimit_user("1/second;10/day")
 @is_not_permabanned
+@ratelimit_user("1/second;10/day")
 def sub_sidebar(v, sub):
 	if g.is_tor: abort(403, "Image uploads are not allowed through TOR.")
 
@@ -522,8 +522,8 @@ def sub_sidebar(v, sub):
 
 @app.post("/h/<sub>/marsey_image")
 @limiter.limit("1/second;10/day")
-@ratelimit_user("1/second;10/day")
 @is_not_permabanned
+@ratelimit_user("1/second;10/day")
 def sub_marsey(v, sub):
 	if g.is_tor: abort(403, "Image uploads are not allowed through TOR.")
 

files/routes/users.py

@@ -254,11 +254,9 @@ def downvoting(v, username):
 @app.post("/@<username>/suicide")
 @feature_required('USERS_SUICIDE')
 @limiter.limit("1/second;5/day")
-@ratelimit_user("1/second;5/day")
 @auth_required
+@ratelimit_user("1/second;5/day")
 def suicide(v, username):
-	
-
 	user = get_user(username)
 	suicide = f"Hi there,\n\nA [concerned user](/id/{v.id}) reached out to us about you.\n\nWhen you're in the middle of something painful, it may feel like you don't have a lot of options. But whatever you're going through, you deserve help and there are people who are here for you.\n\nThere are resources available in your area that are free, confidential, and available 24/7:\n\n- Call, Text, or Chat with Canada's [Crisis Services Canada](https://www.crisisservicescanada.ca/en/)\n- Call, Email, or Visit the UK's [Samaritans](https://www.samaritans.org/)\n- Text CHAT to America's [Crisis Text Line](https://www.crisistextline.org/) at 741741.\nIf you don't see a resource in your area above, the moderators keep a comprehensive list of resources and hotlines for people organized by location. Find Someone Now\n\nIf you think you may be depressed or struggling in another way, don't ignore it or brush it aside. Take yourself and your feelings seriously, and reach out to someone.\n\nIt may not feel like it, but you have options. There are people available to listen to you, and ways to move forward.\n\nYour fellow users care about you and there are people who want to help."
 	if not v.shadowbanned:
@@ -414,8 +412,8 @@ def unsubscribe(v, post_id):
 
 @app.post("/@<username>/message")
 @limiter.limit("1/second;10/minute;20/hour;50/day")
-@ratelimit_user("1/second;10/minute;20/hour;50/day")
 @is_not_permabanned
+@ratelimit_user("1/second;10/minute;20/hour;50/day")
 def message2(v, username):
 	user = get_user(username, v=v, include_blocks=True, include_shadowbanned=False)
 
@@ -479,8 +477,8 @@ def message2(v, username):
 
 @app.post("/reply")
 @limiter.limit("1/second;6/minute;50/hour;200/day")
-@ratelimit_user("1/second;6/minute;50/hour;200/day")
 @auth_required
+@ratelimit_user("1/second;6/minute;50/hour;200/day")
 def messagereply(v):
 	body = sanitize_raw_body(request.values.get("body"), False)
 	if not body and not request.files.get("file"): abort(400, "Message is empty!")