From 2b6418a13294df084a5646959f4972281072445c Mon Sep 17 00:00:00 2001 From: Aevann1 Date: Sat, 15 Jan 2022 08:31:17 +0200 Subject: [PATCH] testing --- files/__main__.py | 1 + files/mail/__init__.py | 2 +- files/routes/admin.py | 52 +++++++++++++++++++-------------------- files/routes/awards.py | 6 ++--- files/routes/comments.py | 13 +++++----- files/routes/login.py | 15 +++++------ files/routes/oauth.py | 16 ++++++------ files/routes/posts.py | 19 +++++++------- files/routes/reporting.py | 6 ++--- files/routes/settings.py | 42 +++++++++++++++---------------- files/routes/static.py | 3 +-- files/routes/users.py | 27 +++++++++----------- files/routes/votes.py | 8 +++--- 13 files changed, 101 insertions(+), 109 deletions(-) diff --git a/files/__main__.py b/files/__main__.py index 68073555c..98ee90377 100644 --- a/files/__main__.py +++ b/files/__main__.py @@ -74,6 +74,7 @@ limiter = Limiter( app, key_func=get_ipaddr, default_limits=["3/second;30/minute;200/hour;1000/day"], + application_limits=["5/second;100/minute;5000/hour;10000/day"], headers_enabled=True, strategy="fixed-window" ) diff --git a/files/mail/__init__.py b/files/mail/__init__.py index cbdbf5969..868febe2f 100644 --- a/files/mail/__init__.py +++ b/files/mail/__init__.py @@ -41,7 +41,7 @@ def send_verification_email(user, email=None): @app.post("/verify_email") -@limiter.limit("1/second") +@limiter.limit("1/second;30/minute;200/hour;1000/day") @auth_required def api_verify_email(v): diff --git a/files/routes/admin.py b/files/routes/admin.py index 36ebb37b3..21da8b4fd 100644 --- a/files/routes/admin.py +++ b/files/routes/admin.py @@ -31,7 +31,7 @@ month = datetime.now().strftime('%B') @app.post("/@/make_admin") -@limiter.limit("1/second") +@limiter.limit("1/second;30/minute;200/hour;1000/day") @admin_level_required(3) def make_admin(v, username): if request.host == 'rdrama.net': abort(403) @@ -44,7 +44,7 @@ def make_admin(v, username): @app.post("/@/remove_admin") -@limiter.limit("1/second") +@limiter.limit("1/second;30/minute;200/hour;1000/day") @admin_level_required(3) def remove_admin(v, username): user = get_user(username) @@ -55,7 +55,7 @@ def remove_admin(v, username): return {"message": "Admin removed!"} @app.post("/distribute/") -@limiter.limit("1/second") +@limiter.limit("1/second;30/minute;200/hour;1000/day") @admin_level_required(3) def distribute(v, comment): try: comment = int(comment) @@ -90,7 +90,7 @@ def distribute(v, comment): return {"message": f"Each winner has received {coinsperperson} coins!"} @app.post("/@/revert_actions") -@limiter.limit("1/second") +@limiter.limit("1/second;30/minute;200/hour;1000/day") @admin_level_required(3) def revert_actions(v, username): user = get_user(username) @@ -128,7 +128,7 @@ def revert_actions(v, username): return {"message": "Admin actions reverted!"} @app.post("/@/club_allow") -@limiter.limit("1/second") +@limiter.limit("1/second;30/minute;200/hour;1000/day") @admin_level_required(2) def club_allow(v, username): @@ -149,7 +149,7 @@ def club_allow(v, username): return {"message": f"@{username} has been allowed into the {cc}!"} @app.post("/@/club_ban") -@limiter.limit("1/second") +@limiter.limit("1/second;30/minute;200/hour;1000/day") @admin_level_required(2) def club_ban(v, username): @@ -170,7 +170,7 @@ def club_ban(v, username): @app.post("/@/make_meme_admin") -@limiter.limit("1/second") +@limiter.limit("1/second;30/minute;200/hour;1000/day") @admin_level_required(2) def make_meme_admin(v, username): if request.host == 'pcmemes.net' or (SITE_NAME == 'Drama' and v.admin_level > 2) or (request.host != 'rdrama.net' and request.host != 'pcmemes.net'): @@ -183,7 +183,7 @@ def make_meme_admin(v, username): @app.post("/@/remove_meme_admin") -@limiter.limit("1/second") +@limiter.limit("1/second;30/minute;200/hour;1000/day") @admin_level_required(2) def remove_meme_admin(v, username): if request.host == 'pcmemes.net' or (SITE_NAME == 'Drama' and v.admin_level > 2) or (request.host != 'rdrama.net' and request.host != 'pcmemes.net'): @@ -238,7 +238,7 @@ def get_sidebar(v): @app.post('/admin/sidebar') -@limiter.limit("1/second") +@limiter.limit("1/second;30/minute;200/hour;1000/day") @admin_level_required(3) def post_sidebar(v): @@ -413,7 +413,7 @@ def badge_grant_get(v): @app.post("/admin/badge_grant") -@limiter.limit("1/second") +@limiter.limit("1/second;30/minute;200/hour;1000/day") @admin_level_required(2) def badge_grant_post(v): user = get_user(request.values.get("username").strip(), graceful=True) @@ -452,7 +452,7 @@ def badge_remove_get(v): @app.post("/admin/badge_remove") -@limiter.limit("1/second") +@limiter.limit("1/second;30/minute;200/hour;1000/day") @admin_level_required(2) def badge_remove_post(v): user = get_user(request.values.get("username").strip(), graceful=True) @@ -602,7 +602,7 @@ def alt_votes_get(v): @app.post("/admin/link_accounts") -@limiter.limit("1/second") +@limiter.limit("1/second;30/minute;200/hour;1000/day") @admin_level_required(2) def admin_link_accounts(v): @@ -725,7 +725,7 @@ def agendaposter(user_id, v): @app.post("/shadowban/") -@limiter.limit("1/second") +@limiter.limit("1/second;30/minute;200/hour;1000/day") @admin_level_required(2) def shadowban(user_id, v): user = g.db.query(User).filter_by(id=user_id).one_or_none() @@ -750,7 +750,7 @@ def shadowban(user_id, v): @app.post("/unshadowban/") -@limiter.limit("1/second") +@limiter.limit("1/second;30/minute;200/hour;1000/day") @admin_level_required(2) def unshadowban(user_id, v): user = g.db.query(User).filter_by(id=user_id).one_or_none() @@ -776,7 +776,7 @@ def unshadowban(user_id, v): return {"message": "User unshadowbanned!"} @app.post("/admin/verify/") -@limiter.limit("1/second") +@limiter.limit("1/second;30/minute;200/hour;1000/day") @admin_level_required(2) def verify(user_id, v): user = g.db.query(User).filter_by(id=user_id).one_or_none() @@ -794,7 +794,7 @@ def verify(user_id, v): return {"message": "User verfied!"} @app.post("/admin/unverify/") -@limiter.limit("1/second") +@limiter.limit("1/second;30/minute;200/hour;1000/day") @admin_level_required(2) def unverify(user_id, v): user = g.db.query(User).filter_by(id=user_id).one_or_none() @@ -813,7 +813,7 @@ def unverify(user_id, v): @app.post("/admin/title_change/") -@limiter.limit("1/second") +@limiter.limit("1/second;30/minute;200/hour;1000/day") @admin_level_required(2) def admin_title_change(user_id, v): @@ -844,7 +844,7 @@ def admin_title_change(user_id, v): return redirect(user.url) @app.post("/ban_user/") -@limiter.limit("1/second") +@limiter.limit("1/second;30/minute;200/hour;1000/day") @admin_level_required(2) def ban_user(user_id, v): @@ -906,7 +906,7 @@ def ban_user(user_id, v): @app.post("/unban_user/") -@limiter.limit("1/second") +@limiter.limit("1/second;30/minute;200/hour;1000/day") @admin_level_required(2) def unban_user(user_id, v): @@ -945,7 +945,7 @@ def unban_user(user_id, v): @app.post("/ban_post/") -@limiter.limit("1/second") +@limiter.limit("1/second;30/minute;200/hour;1000/day") @admin_level_required(2) def ban_post(post_id, v): @@ -981,7 +981,7 @@ def ban_post(post_id, v): @app.post("/unban_post/") -@limiter.limit("1/second") +@limiter.limit("1/second;30/minute;200/hour;1000/day") @admin_level_required(2) def unban_post(post_id, v): @@ -1129,7 +1129,7 @@ def unsticky_comment(cid, v): @app.post("/ban_comment/") -@limiter.limit("1/second") +@limiter.limit("1/second;30/minute;200/hour;1000/day") @admin_level_required(2) def api_ban_comment(c_id, v): @@ -1152,7 +1152,7 @@ def api_ban_comment(c_id, v): @app.post("/unban_comment/") -@limiter.limit("1/second") +@limiter.limit("1/second;30/minute;200/hour;1000/day") @admin_level_required(2) def api_unban_comment(c_id, v): @@ -1212,7 +1212,7 @@ def admin_banned_domains(v): return render_template("admin/banned_domains.html", v=v, banned_domains=banned_domains) @app.post("/admin/banned_domains") -@limiter.limit("1/second") +@limiter.limit("1/second;30/minute;200/hour;1000/day") @admin_level_required(2) def admin_toggle_ban_domain(v): @@ -1247,7 +1247,7 @@ def admin_toggle_ban_domain(v): @app.post("/admin/nuke_user") -@limiter.limit("1/second") +@limiter.limit("1/second;30/minute;200/hour;1000/day") @admin_level_required(2) def admin_nuke_user(v): @@ -1280,7 +1280,7 @@ def admin_nuke_user(v): @app.post("/admin/unnuke_user") -@limiter.limit("1/second") +@limiter.limit("1/second;30/minute;200/hour;1000/day") @admin_level_required(2) def admin_nunuke_user(v): diff --git a/files/routes/awards.py b/files/routes/awards.py index 50a93e0eb..4157a16f5 100644 --- a/files/routes/awards.py +++ b/files/routes/awards.py @@ -176,7 +176,7 @@ def buy(v, award): @app.get("/post//awards") @app.post("/post//awards") -@limiter.limit("1/second") +@limiter.limit("1/second;30/minute;200/hour;1000/day") @auth_required def award_post(pid, v): @@ -362,7 +362,7 @@ def award_post(pid, v): @app.get("/comment//awards") @app.post("/comment//awards") -@limiter.limit("1/second") +@limiter.limit("1/second;30/minute;200/hour;1000/day") @auth_required def award_comment(cid, v): @@ -553,7 +553,7 @@ def admin_userawards_get(v): return render_template("admin/awards.html", awards=list(AWARDS.values()), v=v) @app.post("/admin/awards") -@limiter.limit("1/second") +@limiter.limit("1/second;30/minute;200/hour;1000/day") @admin_level_required(2) def admin_userawards_post(v): diff --git a/files/routes/comments.py b/files/routes/comments.py index d36048163..1b1b2f537 100644 --- a/files/routes/comments.py +++ b/files/routes/comments.py @@ -130,8 +130,7 @@ def post_pid_comment_cid(cid, pid=None, anything=None, v=None): @app.post("/comment") -@limiter.limit("1/second") -@limiter.limit("6/minute") +@limiter.limit("1/second;6/minute;200/hour;1000/day") @auth_required def api_comment(v): if v.is_suspended: return {"error": "You can't perform this action while banned."}, 403 @@ -524,7 +523,7 @@ def api_comment(v): @app.post("/edit_comment/") -@limiter.limit("1/second") +@limiter.limit("1/second;30/minute;200/hour;1000/day") @auth_required def edit_comment(cid, v): if v and v.patron: @@ -696,7 +695,7 @@ def edit_comment(cid, v): @app.post("/delete/comment/") -@limiter.limit("1/second") +@limiter.limit("1/second;30/minute;200/hour;1000/day") @auth_required def delete_comment(cid, v): @@ -717,7 +716,7 @@ def delete_comment(cid, v): return {"message": "Comment deleted!"} @app.post("/undelete/comment/") -@limiter.limit("1/second") +@limiter.limit("1/second;30/minute;200/hour;1000/day") @auth_required def undelete_comment(cid, v): @@ -781,7 +780,7 @@ def unpin_comment(cid, v): return {"message": "Comment unpinned!"} @app.post("/save_comment/") -@limiter.limit("1/second") +@limiter.limit("1/second;30/minute;200/hour;1000/day") @auth_required def save_comment(cid, v): @@ -799,7 +798,7 @@ def save_comment(cid, v): return {"message": "Comment saved!"} @app.post("/unsave_comment/") -@limiter.limit("1/second") +@limiter.limit("1/second;30/minute;200/hour;1000/day") @auth_required def unsave_comment(cid, v): diff --git a/files/routes/login.py b/files/routes/login.py index 74be07d47..0a44b9c61 100644 --- a/files/routes/login.py +++ b/files/routes/login.py @@ -73,8 +73,7 @@ def check_for_alts(current_id): @app.post("/login") -@limiter.limit("1/second") -@limiter.limit("6/minute") +@limiter.limit("1/second;6/minute;200/hour;1000/day") def login_post(): template = '' @@ -154,7 +153,7 @@ def me(v): @app.post("/logout") -@limiter.limit("1/second") +@limiter.limit("1/second;30/minute;200/hour;1000/day") @auth_required def logout(v): @@ -208,8 +207,7 @@ def sign_up_get(v): @app.post("/signup") -@limiter.limit("1/second") -@limiter.limit("5/day") +@limiter.limit("1/minute;5/day") @auth_desired def sign_up_post(v): with open('disable_signups', 'r') as f: @@ -351,7 +349,7 @@ def get_forgot(): @app.post("/forgot") -@limiter.limit("1/second") +@limiter.limit("1/second;30/minute;200/hour;1000/day") def post_forgot(): username = request.values.get("username").lstrip('@') @@ -410,7 +408,7 @@ def get_reset(): @app.post("/reset") -@limiter.limit("1/second") +@limiter.limit("1/second;30/minute;200/hour;1000/day") @auth_desired def post_reset(v): if v: return redirect('/') @@ -463,8 +461,7 @@ def lost_2fa(v): ) @app.post("/request_2fa_disable") -@limiter.limit("1/second") -@limiter.limit("6/minute") +@limiter.limit("1/second;6/minute;200/hour;1000/day") def request_2fa_disable(): username=request.values.get("username") diff --git a/files/routes/oauth.py b/files/routes/oauth.py index ad0e26248..5f803e0f8 100644 --- a/files/routes/oauth.py +++ b/files/routes/oauth.py @@ -17,7 +17,7 @@ def authorize_prompt(v): @app.post("/authorize") -@limiter.limit("1/second") +@limiter.limit("1/second;30/minute;200/hour;1000/day") @auth_required def authorize(v): @@ -35,7 +35,7 @@ def authorize(v): @app.post("/api_keys") -@limiter.limit("1/second") +@limiter.limit("1/second;30/minute;200/hour;1000/day") @is_not_permabanned def request_api_keys(v): @@ -72,7 +72,7 @@ def request_api_keys(v): @app.post("/delete_app/") -@limiter.limit("1/second") +@limiter.limit("1/second;30/minute;200/hour;1000/day") @auth_required def delete_oauth_app(v, aid): @@ -92,7 +92,7 @@ def delete_oauth_app(v, aid): @app.post("/edit_app/") -@limiter.limit("1/second") +@limiter.limit("1/second;30/minute;200/hour;1000/day") @is_not_permabanned def edit_oauth_app(v, aid): @@ -113,7 +113,7 @@ def edit_oauth_app(v, aid): @app.post("/admin/app/approve/") -@limiter.limit("1/second") +@limiter.limit("1/second;30/minute;200/hour;1000/day") @admin_level_required(2) def admin_app_approve(v, aid): @@ -147,7 +147,7 @@ def admin_app_approve(v, aid): @app.post("/admin/app/revoke/") -@limiter.limit("1/second") +@limiter.limit("1/second;30/minute;200/hour;1000/day") @admin_level_required(2) def admin_app_revoke(v, aid): @@ -172,7 +172,7 @@ def admin_app_revoke(v, aid): @app.post("/admin/app/reject/") -@limiter.limit("1/second") +@limiter.limit("1/second;30/minute;200/hour;1000/day") @admin_level_required(2) def admin_app_reject(v, aid): @@ -261,7 +261,7 @@ def admin_apps_list(v): @app.post("/oauth/reroll/") -@limiter.limit("1/second") +@limiter.limit("1/second;30/minute;200/hour;1000/day") @auth_required def reroll_oauth_tokens(aid, v): diff --git a/files/routes/posts.py b/files/routes/posts.py index 55dffde4f..bc0c35de1 100644 --- a/files/routes/posts.py +++ b/files/routes/posts.py @@ -50,7 +50,7 @@ def toggle_club(pid, v): @app.post("/publish/") -@limiter.limit("1/second") +@limiter.limit("1/second;30/minute;200/hour;1000/day") @auth_required def publish(pid, v): post = get_post(pid) @@ -236,7 +236,7 @@ def post_id(pid, anything=None, v=None): return render_template(template, v=v, p=post, sort=sort, render_replies=True, offset=offset) @app.post("/viewmore///") -@limiter.limit("1/second") +@limiter.limit("1/second;30/minute;200/hour;1000/day") @auth_required def viewmore(v, pid, sort, offset): offset = int(offset) @@ -336,7 +336,7 @@ def viewmore(v, pid, sort, offset): @app.post("/morecomments/") -@limiter.limit("1/second") +@limiter.limit("1/second;30/minute;200/hour;1000/day") @auth_required def morecomments(v, cid): tcid = g.db.query(Comment.top_comment_id).filter_by(id=cid).one_or_none()[0] @@ -384,7 +384,7 @@ def morecomments(v, cid): return render_template("comments.html", v=v, comments=comments, render_replies=True) @app.post("/edit_post/") -@limiter.limit("1/second") +@limiter.limit("1/second;30/minute;200/hour;1000/day") @auth_required def edit_post(pid, v): if v and v.patron: @@ -681,8 +681,7 @@ def thumbnail_thread(pid): @app.post("/submit") -@limiter.limit("1/second") -@limiter.limit("6/minute") +@limiter.limit("1/second;6/minute;200/hour;1000/day") @auth_required def submit_post(v): if v.is_suspended: return {"error": "You can't perform this action while banned."}, 403 @@ -1132,7 +1131,7 @@ def submit_post(v): @app.post("/delete_post/") -@limiter.limit("2/second") +@limiter.limit("1/second;30/minute;200/hour;1000/day") @auth_required def delete_post_pid(pid, v): @@ -1153,7 +1152,7 @@ def delete_post_pid(pid, v): return {"message": "Post deleted!"} @app.post("/undelete_post/") -@limiter.limit("1/second") +@limiter.limit("1/second;30/minute;200/hour;1000/day") @auth_required def undelete_post_pid(pid, v): post = get_post(pid) @@ -1208,7 +1207,7 @@ def toggle_post_nsfw(pid, v): else: return {"message": "Post has been unmarked as +18!"} @app.post("/save_post/") -@limiter.limit("1/second") +@limiter.limit("1/second;30/minute;200/hour;1000/day") @auth_required def save_post(pid, v): @@ -1224,7 +1223,7 @@ def save_post(pid, v): return {"message": "Post saved!"} @app.post("/unsave_post/") -@limiter.limit("1/second") +@limiter.limit("1/second;30/minute;200/hour;1000/day") @auth_required def unsave_post(pid, v): diff --git a/files/routes/reporting.py b/files/routes/reporting.py index 3180b3b26..8dc950e02 100644 --- a/files/routes/reporting.py +++ b/files/routes/reporting.py @@ -6,7 +6,7 @@ from os import path from files.helpers.sanitize import filter_emojis_only @app.post("/report/post/") -@limiter.limit("1/second") +@limiter.limit("1/second;30/minute;200/hour;1000/day") @auth_required def api_flag_post(pid, v): @@ -36,7 +36,7 @@ def api_flag_post(pid, v): @app.post("/report/comment/") -@limiter.limit("1/second") +@limiter.limit("1/second;30/minute;200/hour;1000/day") @auth_required def api_flag_comment(cid, v): @@ -60,7 +60,7 @@ def api_flag_comment(cid, v): @app.post('/del_report/') -@limiter.limit("1/second") +@limiter.limit("1/second;30/minute;200/hour;1000/day") @admin_level_required(2) def remove_report(report_fn, v): diff --git a/files/routes/settings.py b/files/routes/settings.py index 57a184541..783dbfa00 100644 --- a/files/routes/settings.py +++ b/files/routes/settings.py @@ -34,7 +34,7 @@ tiers={ } @app.post("/settings/removebackground") -@limiter.limit("1/second") +@limiter.limit("1/second;30/minute;200/hour;1000/day") @auth_required def removebackground(v): v.background = None @@ -43,7 +43,7 @@ def removebackground(v): return {"message": "Background removed!"} @app.post("/settings/profile") -@limiter.limit("1/second") +@limiter.limit("1/second;30/minute;200/hour;1000/day") @auth_required def settings_profile_post(v): if v and v.patron: @@ -409,7 +409,7 @@ def changelogsub(v): else: return {"message": "You have unsubscribed from the changelog!"} @app.post("/settings/namecolor") -@limiter.limit("1/second") +@limiter.limit("1/second;30/minute;200/hour;1000/day") @auth_required def namecolor(v): @@ -422,7 +422,7 @@ def namecolor(v): return redirect("/settings/profile") @app.post("/settings/themecolor") -@limiter.limit("1/second") +@limiter.limit("1/second;30/minute;200/hour;1000/day") @auth_required def themecolor(v): @@ -435,7 +435,7 @@ def themecolor(v): return redirect("/settings/profile") @app.post("/settings/gumroad") -@limiter.limit("1/second") +@limiter.limit("1/second;30/minute;200/hour;1000/day") @auth_required def gumroad(v): if SITE_NAME == 'Drama': patron = 'Paypig' @@ -487,7 +487,7 @@ def gumroad(v): return {"message": f"{patron} rewards claimed!"} @app.post("/settings/titlecolor") -@limiter.limit("1/second") +@limiter.limit("1/second;30/minute;200/hour;1000/day") @auth_required def titlecolor(v): @@ -500,7 +500,7 @@ def titlecolor(v): return redirect("/settings/profile") @app.post("/settings/verifiedcolor") -@limiter.limit("1/second") +@limiter.limit("1/second;30/minute;200/hour;1000/day") @auth_required def verifiedcolor(v): verifiedcolor = str(request.values.get("verifiedcolor", "")).strip() @@ -512,7 +512,7 @@ def verifiedcolor(v): return redirect("/settings/profile") @app.post("/settings/security") -@limiter.limit("1/second") +@limiter.limit("1/second;30/minute;200/hour;1000/day") @auth_required def settings_security_post(v): if request.values.get("new_password"): @@ -595,7 +595,7 @@ def settings_security_post(v): return render_template("settings_security.html", v=v, msg="Two-factor authentication disabled.") @app.post("/settings/log_out_all_others") -@limiter.limit("1/second") +@limiter.limit("1/second;30/minute;200/hour;1000/day") @auth_required def settings_log_out_others(v): @@ -616,7 +616,7 @@ def settings_log_out_others(v): @app.post("/settings/images/profile") -@limiter.limit("1/second") +@limiter.limit("1/second;30/minute;200/hour;1000/day") @auth_required def settings_images_profile(v): if v and v.patron: @@ -651,7 +651,7 @@ def settings_images_profile(v): @app.post("/settings/images/banner") -@limiter.limit("1/second") +@limiter.limit("1/second;30/minute;200/hour;1000/day") @auth_required def settings_images_banner(v): if v and v.patron: @@ -676,7 +676,7 @@ def settings_images_banner(v): @app.post("/settings/delete/profile") -@limiter.limit("1/second") +@limiter.limit("1/second;30/minute;200/hour;1000/day") @auth_required def settings_delete_profile(v): @@ -689,7 +689,7 @@ def settings_delete_profile(v): msg="Profile picture successfully removed.") @app.post("/settings/delete/banner") -@limiter.limit("1/second") +@limiter.limit("1/second;30/minute;200/hour;1000/day") @auth_required def settings_delete_banner(v): @@ -714,7 +714,7 @@ def settings_css_get(v): return render_template("settings_css.html", v=v) @app.post("/settings/css") -@limiter.limit("1/second") +@limiter.limit("1/second;30/minute;200/hour;1000/day") @auth_required def settings_css(v): if v.agendaposter: return {"error": "Agendapostered users can't edit css!"} @@ -734,7 +734,7 @@ def settings_profilecss_get(v): return render_template("settings_profilecss.html", v=v) @app.post("/settings/profilecss") -@limiter.limit("1/second") +@limiter.limit("1/second;30/minute;200/hour;1000/day") @auth_required def settings_profilecss(v): if v.truecoins < 1000 and not v.patron: return f"You must have +1000 {COINS_NAME} or be a paypig to set profile css." @@ -746,7 +746,7 @@ def settings_profilecss(v): return render_template("settings_profilecss.html", v=v) @app.post("/settings/block") -@limiter.limit("1/second") +@limiter.limit("1/second;30/minute;200/hour;1000/day") @auth_required def settings_block_user(v): @@ -780,7 +780,7 @@ def settings_block_user(v): @app.post("/settings/unblock") -@limiter.limit("1/second") +@limiter.limit("1/second;30/minute;200/hour;1000/day") @auth_required def settings_unblock_user(v): @@ -809,7 +809,7 @@ def settings_apps(v): @app.post("/settings/remove_discord") -@limiter.limit("1/second") +@limiter.limit("1/second;30/minute;200/hour;1000/day") @auth_required def settings_remove_discord(v): @@ -829,7 +829,7 @@ def settings_content_get(v): return render_template("settings_filters.html", v=v) @app.post("/settings/name_change") -@limiter.limit("1/second") +@limiter.limit("1/second;30/minute;200/hour;1000/day") @is_not_permabanned def settings_name_change(v): @@ -873,7 +873,7 @@ def settings_name_change(v): return redirect("/settings/profile") @app.post("/settings/song_change") -@limiter.limit("5/day;1/second") +@limiter.limit("1/second;5/day") @auth_required def settings_song_change(v): song=request.values.get("song").strip() @@ -951,7 +951,7 @@ def settings_song_change(v): return redirect("/settings/profile") @app.post("/settings/title_change") -@limiter.limit("1/second") +@limiter.limit("1/second;30/minute;200/hour;1000/day") @auth_required def settings_title_change(v): diff --git a/files/routes/static.py b/files/routes/static.py index 859de1d18..565af3e4b 100644 --- a/files/routes/static.py +++ b/files/routes/static.py @@ -262,8 +262,7 @@ def contact(v): return render_template("contact.html", v=v) @app.post("/send_admin") -@limiter.limit("1/second") -@limiter.limit("6/hour") +@limiter.limit("1/second;2/minute;6/hour;10/day") @auth_required def submit_contact(v): body = request.values.get("message") diff --git a/files/routes/users.py b/files/routes/users.py index 79fdc569e..07ddb5d96 100644 --- a/files/routes/users.py +++ b/files/routes/users.py @@ -133,7 +133,7 @@ def downvoting(v, username): return render_template("voters.html", v=v, users=users, name='Down', name2=f'Who @{username} hates') @app.post("/pay_rent") -@limiter.limit("1/second") +@limiter.limit("1/second;30/minute;200/hour;1000/day") @auth_required def pay_rent(v): if v.coins < 500: return {"error":"You must have more than 500 coins."} @@ -149,7 +149,7 @@ def pay_rent(v): @app.post("/steal") -@limiter.limit("1/second") +@limiter.limit("1/second;30/minute;200/hour;1000/day") @auth_required def steal(v): if int(time.time()) - v.created_utc < 604800: @@ -203,7 +203,7 @@ def thiefs(v): @app.post("/@/suicide") -@limiter.limit("1/second") +@limiter.limit("1/second;30/minute;200/hour;1000/day") @auth_required def suicide(v, username): t = int(time.time()) @@ -225,7 +225,7 @@ def get_coins(v, username): else: return {"error": "invalid_user"}, 404 @app.post("/@/transfer_coins") -@limiter.limit("1/second") +@limiter.limit("1/second;30/minute;200/hour;1000/day") @is_not_permabanned def transfer_coins(v, username): receiver = g.db.query(User).filter_by(username=username).one_or_none() @@ -262,7 +262,7 @@ def transfer_coins(v, username): @app.post("/@/transfer_bux") -@limiter.limit("1/second") +@limiter.limit("1/second;30/minute;200/hour;1000/day") @is_not_permabanned def transfer_bux(v, username): receiver = g.db.query(User).filter_by(username=username).one_or_none() @@ -367,7 +367,7 @@ def song(song): return resp @app.post("/subscribe/") -@limiter.limit("1/second") +@limiter.limit("1/second;30/minute;200/hour;1000/day") @auth_required def subscribe(v, post_id): new_sub = Subscription(user_id=v.id, submission_id=post_id) @@ -376,7 +376,7 @@ def subscribe(v, post_id): return {"message": "Post subscribed!"} @app.post("/unsubscribe/") -@limiter.limit("1/second") +@limiter.limit("1/second;30/minute;200/hour;1000/day") @auth_required def unsubscribe(v, post_id): sub=g.db.query(Subscription).filter_by(user_id=v.id, submission_id=post_id).one_or_none() @@ -391,8 +391,7 @@ def reportbugs(v): return redirect(f'/post/{BUG_THREAD}') @app.post("/@/message") -@limiter.limit("1/second") -@limiter.limit("10/hour") +@limiter.limit("1/second;2/minute;10/hour;50/day") @is_not_permabanned def message2(v, username): @@ -458,9 +457,7 @@ def message2(v, username): @app.post("/reply") -@limiter.limit("1/second") -@limiter.limit("6/minute") -@limiter.limit("50/hour") +@limiter.limit("1/second;6/minute;50/hour;200/day") @auth_required def messagereply(v): @@ -795,7 +792,7 @@ def u_username_info(username, v=None): @app.post("/follow/") -@limiter.limit("1/second") +@limiter.limit("1/second;30/minute;200/hour;1000/day") @auth_required def follow_user(username, v): @@ -819,7 +816,7 @@ def follow_user(username, v): return {"message": "User followed!"} @app.post("/unfollow/") -@limiter.limit("1/second") +@limiter.limit("1/second;30/minute;200/hour;1000/day") @auth_required def unfollow_user(username, v): @@ -843,7 +840,7 @@ def unfollow_user(username, v): return {"message": "User unfollowed!"} @app.post("/remove_follow/") -@limiter.limit("1/second") +@limiter.limit("1/second;30/minute;200/hour;1000/day") @auth_required def remove_follow(username, v): target = get_user(username) diff --git a/files/routes/votes.py b/files/routes/votes.py index 98bfd6fce..5e8083aa0 100644 --- a/files/routes/votes.py +++ b/files/routes/votes.py @@ -10,7 +10,7 @@ from os import environ defaultcolor = environ.get("DEFAULT_COLOR").strip() @app.get("/votes") -@limiter.limit("5/second;60/minute;200/hour") +@limiter.limit("5/second;60/minute;200/hour;1000/day") @auth_required def admin_vote_info_get(v): link = request.values.get("link") @@ -65,7 +65,7 @@ def admin_vote_info_get(v): @app.post("/vote/post//") -@limiter.limit("5/second;60/minute;600/hour") +@limiter.limit("5/second;60/minute;600/hour;1000/day") @auth_required def api_vote_post(post_id, new, v): @@ -123,7 +123,7 @@ def api_vote_post(post_id, new, v): return "", 204 @app.post("/vote/comment//") -@limiter.limit("5/second;60/minute;600/hour") +@limiter.limit("5/second;60/minute;600/hour;1000/day") @auth_required def api_vote_comment(comment_id, new, v): @@ -224,7 +224,7 @@ def api_vote_poll(comment_id, v): @app.post("/bet/") -@limiter.limit("1/second") +@limiter.limit("1/second;30/minute;200/hour;1000/day") @auth_required def bet(comment_id, v):