diff --git a/files/helpers/wrappers.py b/files/helpers/wrappers.py index dbded1fed..6072a86af 100644 --- a/files/helpers/wrappers.py +++ b/files/helpers/wrappers.py @@ -35,13 +35,9 @@ def calc_users(v): return '' def get_logged_in_user(): - if hasattr(g, 'v'): return g.v - if not (hasattr(g, 'db') and g.db): g.db = db_session() - v = None - token = request.headers.get("Authorization","").strip() if token: client = g.db.query(ClientAuth).filter(ClientAuth.access_token == token).one_or_none() @@ -66,7 +62,7 @@ def get_logged_in_user(): if not v.validate_formkey(submitted_key): abort(401) v.client = None - + g.is_api_or_xhr = bool((v and v.client) or request.headers.get("xhr")) if request.method.lower() != "get" and app.config['SETTINGS']['Read-only mode'] and not (v and v.admin_level >= PERMS['SITE_BYPASS_READ_ONLY_MODE']): abort(403) diff --git a/files/routes/comments.py b/files/routes/comments.py index 314e077fe..d80bb272e 100644 --- a/files/routes/comments.py +++ b/files/routes/comments.py @@ -56,8 +56,8 @@ def post_pid_comment_cid(cid, pid=None, anything=None, v=None, sub=None): post = get_post(pid, v=v) if post.over_18 and not (v and v.over_18) and not session.get('over_18', 0) >= int(time.time()): - if request.headers.get("Authorization"): abort(403, "This content is not suitable for some users and situations.") - else: return render_template("errors/nsfw.html", v=v) + if v and v.client: abort(403, "This content is not suitable for some users and situations.") + else: return render_template("errors/nsfw.html", v=v), 403 try: context = min(int(request.values.get("context", 0)), 8) except: context = 0 @@ -115,7 +115,7 @@ def post_pid_comment_cid(cid, pid=None, anything=None, v=None, sub=None): post.replies=[top_comment] - if request.headers.get("Authorization"): return top_comment.json + if v and v.client: return top_comment.json else: if post.is_banned and not (v and (v.admin_level >= PERMS['POST_COMMENT_MODERATION'] or post.author_id == v.id)): template = "submission_banned.html" else: template = "submission.html" @@ -255,7 +255,7 @@ def comment(v): if parent.author.any_block_exists(v) and v.admin_level < PERMS['POST_COMMENT_MODERATION']: abort(403, "You can't reply to users who have blocked you or users that you have blocked.") - is_bot = v.id != BBBB_ID and (bool(request.headers.get("Authorization")) or (SITE == 'pcmemes.net' and v.id == SNAPPY_ID)) + is_bot = v.id != BBBB_ID and v.client or (SITE == 'pcmemes.net' and v.id == SNAPPY_ID)) execute_antispam_comment_check(body, v) @@ -416,7 +416,7 @@ def comment(v): g.db.flush() - if request.headers.get("Authorization"): return c.json + if v.client: return c.json return {"comment": render_template("comments.html", v=v, comments=[c])} diff --git a/files/routes/errors.py b/files/routes/errors.py index db6c80c1d..7a91b2bee 100644 --- a/files/routes/errors.py +++ b/files/routes/errors.py @@ -27,6 +27,7 @@ def error(e): if WERKZEUG_ERROR_DESCRIPTIONS.get(e.code, None) == details: details = None + # for here and 401, not using g.is_api_or_xhr is intentional since API users won't get invalid token errors otherwise if request.headers.get("Authorization") or request.headers.get("xhr"): return {"error": title, "code": e.code, "description": msg, "details": details}, e.code img = ERROR_MARSEYS.get(e.code, 'marseyl') diff --git a/files/routes/front.py b/files/routes/front.py index 404eddd29..8356480c4 100644 --- a/files/routes/front.py +++ b/files/routes/front.py @@ -72,7 +72,7 @@ def front_all(v, sub=None, subdomain=None): if v.hidevotedon: posts = [x for x in posts if not hasattr(x, 'voted') or not x.voted] award_timers(v) - if request.headers.get("Authorization"): return {"data": [x.json for x in posts], "next_exists": next_exists} + if v and v.client: return {"data": [x.json for x in posts], "next_exists": next_exists} return render_template("home.html", v=v, listing=posts, next_exists=next_exists, sort=sort, t=t, page=page, ccmode=ccmode, sub=sub, home=True, pins=pins) @@ -206,7 +206,7 @@ def all_comments(v): idlist = idlist[:25] - if request.headers.get("Authorization"): return {"data": [x.json for x in comments]} + if v.client: return {"data": [x.json for x in comments]} return render_template("home_comments.html", v=v, sort=sort, t=t, page=page, comments=comments, standalone=True, next_exists=next_exists) diff --git a/files/routes/login.py b/files/routes/login.py index 1ea28b948..04ff71d2d 100644 --- a/files/routes/login.py +++ b/files/routes/login.py @@ -174,7 +174,7 @@ def on_login(account, redir=None): @app.get("/@me") @auth_required def me(v): - if request.headers.get("Authorization"): return v.json + if v.client: return v.json else: return redirect(v.url) diff --git a/files/routes/notifications.py b/files/routes/notifications.py index ca64f7380..a1b37008d 100644 --- a/files/routes/notifications.py +++ b/files/routes/notifications.py @@ -47,7 +47,7 @@ def notifications_modmail(v): g.db.commit() - if request.headers.get("Authorization"): return {"data":[x.json for x in listing]} + if v.client: return {"data":[x.json for x in listing]} return render_template("notifications.html", v=v, @@ -117,7 +117,7 @@ def notifications_messages(v): c.unread = True list_to_perserve_unread_attribute.append(c) - if request.headers.get("Authorization"): return {"data":[x.json for x in listing]} + if v.client: return {"data":[x.json for x in listing]} return render_template("notifications.html", v=v, @@ -159,7 +159,7 @@ def notifications_posts(v): v.last_viewed_post_notifs = int(time.time()) g.db.add(v) - if request.headers.get("Authorization"): return {"data":[x.json for x in listing]} + if v.client: return {"data":[x.json for x in listing]} return render_template("notifications.html", v=v, @@ -230,7 +230,7 @@ def notifications_reddit(v): g.db.commit() - if request.headers.get("Authorization"): return {"data":[x.json for x in listing]} + if v.client: return {"data":[x.json for x in listing]} return render_template("notifications.html", v=v, @@ -298,7 +298,7 @@ def notifications(v): g.db.commit() - if request.headers.get("Authorization"): return {"data":[x.json for x in listing]} + if v.client: return {"data":[x.json for x in listing]} return render_template("notifications.html", v=v, diff --git a/files/routes/posts.py b/files/routes/posts.py index 5701fcdf7..15db20131 100644 --- a/files/routes/posts.py +++ b/files/routes/posts.py @@ -143,7 +143,7 @@ def post_id(pid, anything=None, v=None, sub=None): if not post.can_see(v): abort(403) if post.over_18 and not (v and v.over_18) and session.get('over_18', 0) < int(time.time()): - if request.headers.get("Authorization") or request.headers.get("xhr"): return {"error":"Must be 18+ to view"}, 451 + if g.is_api_or_xhr: return {"error":"Must be 18+ to view"}, 451 return render_template("errors/nsfw.html", v=v) if post.new or 'megathread' in post.title.lower(): defaultsortingcomments = 'new' @@ -216,7 +216,7 @@ def post_id(pid, anything=None, v=None, sub=None): if v and v.poorcel: threshold = 50 else: threshold = 100 - if post.comment_count > threshold+25 and not request.headers.get("Authorization") and not request.values.get("all"): + if post.comment_count > threshold+25 and not (v and v.client) and not request.values.get("all"): comments2 = [] count = 0 if post.created_utc > 1638672040: @@ -254,7 +254,7 @@ def post_id(pid, anything=None, v=None, sub=None): post.views += 1 g.db.add(post) - if request.headers.get("Authorization"): + if v and v.client: return post.json template = "submission.html" @@ -708,7 +708,7 @@ def submit_post(v, sub=None): body = sanitize_raw_body(request.values.get("body", ""), True) def error(error): - if request.headers.get("Authorization") or request.headers.get("xhr"): abort(400, error) + if g.is_api_or_xhr: abort(400, error) SUBS = [x[0] for x in g.db.query(Sub.name).order_by(Sub.name).all()] return render_template("submit.html", SUBS=SUBS, v=v, error=error, title=title, url=url, body=body), 400 @@ -877,7 +877,7 @@ def submit_post(v, sub=None): if embed and len(embed) > 1500: embed = None - is_bot = v.id != BBBB_ID and bool(request.headers.get("Authorization")) or (SITE == 'pcmemes.net' and v.id == SNAPPY_ID) + is_bot = v.id != BBBB_ID and v.client or (SITE == 'pcmemes.net' and v.id == SNAPPY_ID) if request.values.get("ghost") and v.coins >= 100: v.charge_account('coins', 100) @@ -1041,7 +1041,7 @@ def submit_post(v, sub=None): send_wpd_message(post.permalink) g.db.commit() - if request.headers.get("Authorization"): return post.json + if v.client: return post.json else: post.voted = 1 if post.new or 'megathread' in post.title.lower(): sort = 'new' diff --git a/files/routes/search.py b/files/routes/search.py index cca7817b6..a32db0a6a 100644 --- a/files/routes/search.py +++ b/files/routes/search.py @@ -71,7 +71,7 @@ def searchposts(v): posts = posts.filter(Submission.ghost == False) author = get_user(criteria['author'], v=v, include_shadowbanned=False) if author.is_private and author.id != v.id and v.admin_level < PERMS['VIEW_PRIVATE_PROFILES'] and not v.eye: - if request.headers.get("Authorization"): + if v.client: abort(403, f"@{author.username}'s profile is private; You can't use the 'author' syntax on them") return render_template("search.html", v=v, @@ -159,7 +159,7 @@ def searchposts(v): posts = get_posts(ids, v=v) - if request.headers.get("Authorization"): return {"total":total, "data":[x.json for x in posts]} + if v.client: return {"total":total, "data":[x.json for x in posts]} return render_template("search.html", v=v, @@ -199,7 +199,7 @@ def searchcomments(v): comments = comments.filter(Comment.ghost == False) author = get_user(criteria['author'], v=v, include_shadowbanned=False) if author.is_private and author.id != v.id and v.admin_level < PERMS['VIEW_PRIVATE_PROFILES'] and not v.eye: - if request.headers.get("Authorization"): + if v.client: abort(403, f"@{author.username}'s profile is private; You can't use the 'author' syntax on them") return render_template("search_comments.html", v=v, query=query, total=0, page=page, comments=[], sort=sort, t=t, next_exists=False, error=f"@{author.username}'s profile is private; You can't use the 'author' syntax on them.") @@ -260,7 +260,7 @@ def searchcomments(v): comments = get_comments(ids, v=v) - if request.headers.get("Authorization"): return {"total":total, "data":[x.json for x in comments]} + if v.client: return {"total":total, "data":[x.json for x in comments]} return render_template("search_comments.html", v=v, query=query, total=total, page=page, comments=comments, sort=sort, t=t, next_exists=next_exists, standalone=True) @@ -294,5 +294,5 @@ def searchusers(v): next_exists=(len(users)>25) users=users[:25] - if request.headers.get("Authorization"): return {"data": [x.json for x in users]} + if v.client: return {"data": [x.json for x in users]} return render_template("search_users.html", v=v, query=query, total=total, page=page, users=users, sort=sort, t=t, next_exists=next_exists) diff --git a/files/routes/static.py b/files/routes/static.py index 9c782d069..84422fae6 100644 --- a/files/routes/static.py +++ b/files/routes/static.py @@ -81,7 +81,7 @@ def sidebar(v): @app.get("/stats") @auth_required def participation_stats(v): - if request.headers.get("Authorization"): return stats_cached() + if v.client: return stats_cached() return render_template("stats.html", v=v, title="Content Statistics", data=stats_cached()) @cache.memoize(timeout=86400) @@ -431,7 +431,7 @@ def transfers(v): next_exists = len(comments) > 25 comments = comments[:25] - if request.headers.get("Authorization"): + if v.client: return {"data": [x.json for x in comments]} else: return render_template("transfers.html", v=v, page=page, comments=comments, standalone=True, next_exists=next_exists) diff --git a/files/routes/subs.py b/files/routes/subs.py index cf3e73af1..6141e2088 100644 --- a/files/routes/subs.py +++ b/files/routes/subs.py @@ -95,7 +95,7 @@ def unexile(v, sub, uid): ) g.db.add(ma) - if request.headers.get("Authorization") or request.headers.get("xhr"): + if g.is_api_or_xhr: return {"message": f"@{u.username} has been unexiled from /h/{sub} successfully!"} diff --git a/files/routes/users.py b/files/routes/users.py index fa48056a6..d2e5ec54e 100644 --- a/files/routes/users.py +++ b/files/routes/users.py @@ -789,14 +789,14 @@ def u_username(username, v=None): if u.is_private and (not v or (v.id != u.id and v.admin_level < PERMS['VIEW_PRIVATE_PROFILES'] and not v.eye)): - if request.headers.get("Authorization") or request.headers.get("xhr") or request.path.endswith(".json"): + if g.is_api_or_xhr or request.path.endswith(".json"): abort(403, "This userpage is private") return render_template("userpage_private.html", u=u, v=v) if v and hasattr(u, 'is_blocking') and u.is_blocking: - if request.headers.get("Authorization") or request.headers.get("xhr") or request.path.endswith(".json"): + if g.is_api_or_xhr or request.path.endswith(".json"): abort(403, f"You are blocking @{u.username}.") return render_template("userpage_blocking.html", u=u, v=v) @@ -822,7 +822,7 @@ def u_username(username, v=None): listing = get_posts(ids, v=v) if u.unban_utc: - if request.headers.get("Authorization") or request.path.endswith(".json"): + if (v and v.client) or request.path.endswith(".json"): return {"data": [x.json for x in listing]} return render_template("userpage.html", @@ -836,7 +836,7 @@ def u_username(username, v=None): next_exists=next_exists, is_following=is_following) - if request.headers.get("Authorization") or request.path.endswith(".json"): + if (v and v.client) or request.path.endswith(".json"): return {"data": [x.json for x in listing]} return render_template("userpage.html", @@ -869,12 +869,12 @@ def u_username_comments(username, v=None): u = user if u.is_private and (not v or (v.id != u.id and v.admin_level < PERMS['VIEW_PRIVATE_PROFILES'] and not v.eye)): - if request.headers.get("Authorization") or request.headers.get("xhr") or request.path.endswith(".json"): + if g.is_api_or_xhr or request.path.endswith(".json"): abort(403, "This userpage is private") return render_template("userpage_private.html", u=u, v=v) if v and hasattr(u, 'is_blocking') and u.is_blocking: - if request.headers.get("Authorization") or request.headers.get("xhr") or request.path.endswith(".json"): + if g.is_api_or_xhr or request.path.endswith(".json"): abort(403, f"You are blocking @{u.username}.") return render_template("userpage_blocking.html", u=u, v=v) @@ -913,7 +913,7 @@ def u_username_comments(username, v=None): listing = get_comments(ids, v=v) - if request.headers.get("Authorization") or request.path.endswith(".json"): + if v.client or request.path.endswith(".json"): return {"data": [c.json for c in listing]} return render_template("userpage_comments.html", u=user, v=v, listing=listing, page=page, sort=sort, t=t,next_exists=next_exists, is_following=is_following, standalone=True) @@ -1063,7 +1063,7 @@ def saved_posts(v, username): listing = get_posts(ids, v=v) - if request.headers.get("Authorization"): return {"data": [x.json for x in listing]} + if v.client: return {"data": [x.json for x in listing]} return render_template("userpage.html", u=v, v=v, @@ -1087,7 +1087,7 @@ def saved_comments(v, username): listing = get_comments(ids, v=v) - if request.headers.get("Authorization"): return {"data": [x.json for x in listing]} + if v.client: return {"data": [x.json for x in listing]} return render_template("userpage_comments.html", u=v, v=v, @@ -1110,7 +1110,7 @@ def subscribed_posts(v, username): listing = get_posts(ids, v=v) - if request.headers.get("Authorization"): return {"data": [x.json for x in listing]} + if v.client: return {"data": [x.json for x in listing]} return render_template("userpage.html", u=v, v=v, diff --git a/files/routes/votes.py b/files/routes/votes.py index cbf3e12de..282d1bf6e 100644 --- a/files/routes/votes.py +++ b/files/routes/votes.py @@ -45,7 +45,7 @@ def vote_info_get(v, link): def vote_post_comment(target_id, new, v, cls, vote_cls): if new == "-1" and DISABLE_DOWNVOTES: abort(403) if new not in ["-1", "0", "1"]: abort(400) - if request.headers.get("Authorization") and v.id != BBBB_ID: abort(403) + if v.client and v.id != BBBB_ID: abort(403) new = int(new) target = None if cls == Submission: