From 340f9e31fea3db26915772e15d87a1ae8f3463b5 Mon Sep 17 00:00:00 2001
From: Aevann1 <randomname42029@gmail.com>
Date: Fri, 23 Sep 2022 14:51:57 +0200
Subject: [PATCH] limit asset perms and generate modlog for updating

---
 files/classes/mod_logs.py         | 10 ++++++++++
 files/routes/asset_submissions.py | 28 ++++++++++++++++++++++++++--
 2 files changed, 36 insertions(+), 2 deletions(-)

diff --git a/files/classes/mod_logs.py b/files/classes/mod_logs.py
index def124b88..a847f48a6 100644
--- a/files/classes/mod_logs.py
+++ b/files/classes/mod_logs.py
@@ -433,6 +433,16 @@ ACTIONTYPES = {
 		"str": 'unshadowbanned {self.target_link}', 
 		"icon": 'fa-eye', 
 		"color": 'bg-success'
+	},
+	'update_hat': {
+		"str": 'Updated hat image', 
+		"icon": 'fa-hat-cowboy', 
+		"color": 'bg-success'
+	},
+	'update_marsey': {
+		"str": 'Updated marsey image', 
+		"icon": 'fa-cat', 
+		"color": 'bg-success'
 	}
 }
 
diff --git a/files/routes/asset_submissions.py b/files/routes/asset_submissions.py
index 7fdd02b3a..ecd4c0f4b 100644
--- a/files/routes/asset_submissions.py
+++ b/files/routes/asset_submissions.py
@@ -94,7 +94,7 @@ def submit_marsey(v):
 @app.post("/admin/approve/marsey/<name>")
 @admin_level_required(3)
 def approve_marsey(v, name):
-	if v.id not in (AEVANN_ID, CARP_ID):
+	if AEVANN_ID and v.id not in (AEVANN_ID, CARP_ID, SNAKES_ID):
 		return {"error": "Only Carp can approve marseys!"}, 403
 
 	name = name.lower().strip()
@@ -253,7 +253,7 @@ def submit_hat(v):
 @app.post("/admin/approve/hat/<name>")
 @admin_level_required(3)
 def approve_hat(v, name):
-	if v.id not in (AEVANN_ID, CARP_ID):
+	if AEVANN_ID and v.id not in (AEVANN_ID, CARP_ID, SNAKES_ID):
 		return {"error": "Only Carp can approve hats!"}, 403
 
 	name = name.strip()
@@ -347,12 +347,17 @@ def remove_hat(v, name):
 @app.get("/admin/update/marseys")
 @admin_level_required(3)
 def update_marseys(v):
+	if AEVANN_ID and v.id not in (AEVANN_ID, CARP_ID, GEESE_ID, SNAKES_ID):
+		abort(403)
+
 	return render_template("update_assets.html", v=v, type="Marsey")
 
 
 @app.post("/admin/update/marseys")
 @admin_level_required(3)
 def update_marsey(v):
+	if AEVANN_ID and v.id not in (AEVANN_ID, CARP_ID, GEESE_ID, SNAKES_ID):
+		abort(403)
 
 	file = request.files["image"]
 	name = request.values.get('name').lower().strip()
@@ -391,6 +396,13 @@ def update_marsey(v):
 	requests.post(f'https://api.cloudflare.com/client/v4/zones/{CF_ZONE}/purge_cache', headers=CF_HEADERS, 
 		data=f'{{"files": ["https://{SITE}/e/{name}.webp", "https://{SITE}/assets/images/emojis/{name}.webp", "https://{SITE}/asset_submissions/marseys/original/{name}.{format}"]}}', timeout=5)
 
+	ma = ModAction(
+		kind="update_marsey",
+		user_id=v.id,
+		_note=name
+	)
+	g.db.add(ma)
+
 	return render_template("update_assets.html", v=v, msg=f"'{name}' updated successfully!", type="Marsey")
 
 
@@ -398,12 +410,17 @@ def update_marsey(v):
 @app.get("/admin/update/hats")
 @admin_level_required(3)
 def update_hats(v):
+	if AEVANN_ID and v.id not in (AEVANN_ID, CARP_ID, GEESE_ID, SNAKES_ID):
+		abort(403)
+
 	return render_template("update_assets.html", v=v, type="Hat")
 
 
 @app.post("/admin/update/hats")
 @admin_level_required(3)
 def update_hat(v):
+	if AEVANN_ID and v.id not in (AEVANN_ID, CARP_ID, GEESE_ID, SNAKES_ID):
+		abort(403)
 
 	file = request.files["image"]
 	name = request.values.get('name').strip()
@@ -448,4 +465,11 @@ def update_hat(v):
 	requests.post(f'https://api.cloudflare.com/client/v4/zones/{CF_ZONE}/purge_cache', headers=CF_HEADERS, 
 		data=f'{{"files": ["https://{SITE}/i/hats/{name}.webp", "https://{SITE}/assets/images/hats/{name}.webp", "https://{SITE}/asset_submissions/hats/original/{name}.{format}"]}}', timeout=5)
 
+	ma = ModAction(
+		kind="update_hat",
+		user_id=v.id,
+		_note=name
+	)
+	g.db.add(ma)
+
 	return render_template("update_assets.html", v=v, msg=f"'{name}' updated successfully!", type="Hat")
\ No newline at end of file