diff --git a/files/mail/__init__.py b/files/mail/__init__.py index 86c79d0b1..c05b8424d 100644 --- a/files/mail/__init__.py +++ b/files/mail/__init__.py @@ -51,8 +51,8 @@ def send_verification_email(user, email=None): @app.post("/verify_email") @limiter.limit(DEFAULT_RATELIMIT_SLOWER) -@ratelimit_user() @auth_required +@ratelimit_user() def verify_email(v): send_verification_email(v) diff --git a/files/routes/awards.py b/files/routes/awards.py index fd386cddc..aa7bd4f6b 100644 --- a/files/routes/awards.py +++ b/files/routes/awards.py @@ -121,8 +121,8 @@ def buy(v, award): @app.post("/award//") @limiter.limit(DEFAULT_RATELIMIT_SLOWER) -@ratelimit_user() @is_not_permabanned +@ratelimit_user() @feature_required('AWARDS') def award_thing(v, thing_type, id): if thing_type == 'post': diff --git a/files/routes/comments.py b/files/routes/comments.py index efb401a2c..66bcfe096 100644 --- a/files/routes/comments.py +++ b/files/routes/comments.py @@ -458,8 +458,8 @@ def edit_comment(cid, v): @app.post("/delete/comment/") @limiter.limit(DEFAULT_RATELIMIT_SLOWER) -@ratelimit_user() @auth_required +@ratelimit_user() def delete_comment(cid, v): c = get_comment(cid, v=v) @@ -486,8 +486,8 @@ def delete_comment(cid, v): @app.post("/undelete/comment/") @limiter.limit(DEFAULT_RATELIMIT_SLOWER) -@ratelimit_user() @auth_required +@ratelimit_user() def undelete_comment(cid, v): c = get_comment(cid, v=v) @@ -558,8 +558,8 @@ def unpin_comment(cid, v): @app.post("/save_comment/") @limiter.limit(DEFAULT_RATELIMIT_SLOWER) -@ratelimit_user() @auth_required +@ratelimit_user() def save_comment(cid, v): comment=get_comment(cid) @@ -575,8 +575,8 @@ def save_comment(cid, v): @app.post("/unsave_comment/") @limiter.limit(DEFAULT_RATELIMIT_SLOWER) -@ratelimit_user() @auth_required +@ratelimit_user() def unsave_comment(cid, v): comment=get_comment(cid) @@ -611,8 +611,8 @@ def diff_words(answer, guess): @app.post("/wordle/") @limiter.limit(DEFAULT_RATELIMIT_SLOWER) -@ratelimit_user() @auth_required +@ratelimit_user() def handle_wordle_action(cid, v): comment = get_comment(cid) diff --git a/files/routes/login.py b/files/routes/login.py index f9202ad7c..20d7db208 100644 --- a/files/routes/login.py +++ b/files/routes/login.py @@ -181,8 +181,8 @@ def me(v): @app.post("/logout") @limiter.limit(DEFAULT_RATELIMIT_SLOWER) -@ratelimit_user() @auth_required +@ratelimit_user() def logout(v): loggedin = cache.get(f'{SITE}_loggedin') or {} diff --git a/files/routes/notifications.py b/files/routes/notifications.py index a7fde6444..8cc6c516d 100644 --- a/files/routes/notifications.py +++ b/files/routes/notifications.py @@ -5,8 +5,8 @@ from files.__main__ import app import time @app.post("/clear") -@ratelimit_user() @auth_required +@ratelimit_user() def clear(v): notifs = g.db.query(Notification).join(Notification.comment).filter(Notification.read == False, Notification.user_id == v.id).all() for n in notifs: @@ -19,8 +19,8 @@ def clear(v): @app.get("/unread") -@ratelimit_user() @auth_required +@ratelimit_user() def unread(v): listing = g.db.query(Notification, Comment).join(Notification.comment).filter( Notification.read == False, diff --git a/files/routes/oauth.py b/files/routes/oauth.py index af6eb3ccc..1885a7b04 100644 --- a/files/routes/oauth.py +++ b/files/routes/oauth.py @@ -18,8 +18,8 @@ def authorize_prompt(v): @app.post("/authorize") @limiter.limit(DEFAULT_RATELIMIT_SLOWER) -@ratelimit_user() @auth_required +@ratelimit_user() def authorize(v): client_id = request.values.get("client_id") @@ -40,8 +40,8 @@ def authorize(v): @app.post("/rescind/") @limiter.limit(DEFAULT_RATELIMIT_SLOWER) -@ratelimit_user() @auth_required +@ratelimit_user() def rescind(v, aid): auth = g.db.query(ClientAuth).filter_by(oauth_client = aid, user_id = v.id).one_or_none() @@ -52,8 +52,8 @@ def rescind(v, aid): @app.post("/api_keys") @limiter.limit(DEFAULT_RATELIMIT_SLOWER) -@ratelimit_user() @is_not_permabanned +@ratelimit_user() def request_api_keys(v): new_app = OauthApp( @@ -94,8 +94,8 @@ def request_api_keys(v): @app.post("/delete_app/") @limiter.limit(DEFAULT_RATELIMIT_SLOWER) -@ratelimit_user() @auth_required +@ratelimit_user() def delete_oauth_app(v, aid): try: aid = int(aid) @@ -117,8 +117,8 @@ def delete_oauth_app(v, aid): @app.post("/edit_app/") @limiter.limit(DEFAULT_RATELIMIT_SLOWER) -@ratelimit_user() @is_not_permabanned +@ratelimit_user() def edit_oauth_app(v, aid): try: aid = int(aid) @@ -285,8 +285,8 @@ def admin_apps_list(v): @app.post("/reroll/") @limiter.limit(DEFAULT_RATELIMIT_SLOWER) -@ratelimit_user() @auth_required +@ratelimit_user() def reroll_oauth_tokens(aid, v): aid = aid diff --git a/files/routes/posts.py b/files/routes/posts.py index 05fc6b983..ef3a7e3f5 100644 --- a/files/routes/posts.py +++ b/files/routes/posts.py @@ -79,8 +79,8 @@ def unclub_post(pid, v): @app.post("/publish/") @limiter.limit(DEFAULT_RATELIMIT_SLOWER) -@ratelimit_user() @auth_required +@ratelimit_user() def publish(pid, v): post = get_post(pid) if not post.private: return {"message": "Post published!"} @@ -955,8 +955,8 @@ def submit_post(v, sub=None): @app.post("/delete_post/") @limiter.limit(DEFAULT_RATELIMIT_SLOWER) -@ratelimit_user() @auth_required +@ratelimit_user() def delete_post_pid(pid, v): post = get_post(pid) if post.author_id != v.id: abort(403) @@ -982,8 +982,8 @@ def delete_post_pid(pid, v): @app.post("/undelete_post/") @limiter.limit(DEFAULT_RATELIMIT_SLOWER) -@ratelimit_user() @auth_required +@ratelimit_user() def undelete_post_pid(pid, v): post = get_post(pid) if post.author_id != v.id: abort(403) @@ -1038,8 +1038,8 @@ def toggle_post_nsfw(pid, v): @app.post("/save_post/") @limiter.limit(DEFAULT_RATELIMIT_SLOWER) -@ratelimit_user() @auth_required +@ratelimit_user() def save_post(pid, v): post=get_post(pid) @@ -1054,8 +1054,8 @@ def save_post(pid, v): @app.post("/unsave_post/") @limiter.limit(DEFAULT_RATELIMIT_SLOWER) -@ratelimit_user() @auth_required +@ratelimit_user() def unsave_post(pid, v): post=get_post(pid) diff --git a/files/routes/reporting.py b/files/routes/reporting.py index b92f88fad..bdab13678 100644 --- a/files/routes/reporting.py +++ b/files/routes/reporting.py @@ -9,8 +9,8 @@ from files.helpers.sanitize import filter_emojis_only @app.post("/report/post/") @limiter.limit(DEFAULT_RATELIMIT_SLOWER) -@ratelimit_user() @auth_required +@ratelimit_user() def flag_post(pid, v): post = get_post(pid) reason = request.values.get("reason", "").strip() @@ -62,8 +62,8 @@ def flag_post(pid, v): @app.post("/report/comment/") @limiter.limit(DEFAULT_RATELIMIT_SLOWER) -@ratelimit_user() @auth_required +@ratelimit_user() def flag_comment(cid, v): comment = get_comment(cid) diff --git a/files/routes/settings.py b/files/routes/settings.py index 90bd8a241..6fec6c447 100644 --- a/files/routes/settings.py +++ b/files/routes/settings.py @@ -28,8 +28,8 @@ def settings_personal(v): @app.delete('/settings/background') @limiter.limit(DEFAULT_RATELIMIT_SLOWER) -@ratelimit_user() @auth_required +@ratelimit_user() def remove_background(v): if v.background: v.background = None @@ -38,8 +38,8 @@ def remove_background(v): @app.post("/settings/personal") @limiter.limit(DEFAULT_RATELIMIT_SLOWER) -@ratelimit_user() @auth_required +@ratelimit_user() def settings_personal_post(v): updated = False @@ -319,22 +319,22 @@ def set_color(v:User, attr:str, color:Optional[str]): @app.post("/settings/namecolor") @limiter.limit(DEFAULT_RATELIMIT_SLOWER) -@ratelimit_user() @auth_required +@ratelimit_user() def namecolor(v): return set_color(v, "namecolor", request.values.get("namecolor")) @app.post("/settings/themecolor") @limiter.limit(DEFAULT_RATELIMIT_SLOWER) -@ratelimit_user() @auth_required +@ratelimit_user() def themecolor(v): return set_color(v, "themecolor", request.values.get("themecolor")) @app.post("/settings/gumroad") @limiter.limit(DEFAULT_RATELIMIT_SLOWER) -@ratelimit_user() @auth_required +@ratelimit_user() def gumroad(v): if not (v.email and v.is_activated): abort(400, f"You must have a verified email to verify {patron} status and claim your rewards!") @@ -369,23 +369,23 @@ def gumroad(v): @app.post("/settings/titlecolor") @limiter.limit(DEFAULT_RATELIMIT_SLOWER) -@ratelimit_user() @auth_required +@ratelimit_user() def titlecolor(v): return set_color(v, "titlecolor", request.values.get("titlecolor")) @app.post("/settings/verifiedcolor") @limiter.limit(DEFAULT_RATELIMIT_SLOWER) -@ratelimit_user() @auth_required +@ratelimit_user() def verifiedcolor(v): if not v.verified: abort(403, "You don't have a checkmark") return set_color(v, "verifiedcolor", "verifiedcolor") @app.post("/settings/security") @limiter.limit(DEFAULT_RATELIMIT_SLOWER) -@ratelimit_user() @auth_required +@ratelimit_user() def settings_security_post(v): if request.values.get("new_password"): if request.values.get("new_password") != request.values.get("cnf_password"): @@ -457,8 +457,8 @@ def settings_security_post(v): @app.post("/settings/log_out_all_others") @limiter.limit(DEFAULT_RATELIMIT_SLOWER) -@ratelimit_user() @auth_required +@ratelimit_user() def settings_log_out_others(v): submitted_password = request.values.get("password", "").strip() if not v.verifyPass(submitted_password): @@ -472,8 +472,8 @@ def settings_log_out_others(v): @app.post("/settings/images/profile") @limiter.limit(DEFAULT_RATELIMIT_SLOWER) -@ratelimit_user() @auth_required +@ratelimit_user() def settings_images_profile(v): if request.headers.get("cf-ipcountry") == "T1": abort(403, "Image uploads are not allowed through TOR.") @@ -507,8 +507,8 @@ def settings_images_profile(v): @app.post("/settings/images/banner") @limiter.limit(DEFAULT_RATELIMIT_SLOWER) -@ratelimit_user() @auth_required +@ratelimit_user() @feature_required('USERS_PROFILE_BANNER') def settings_images_banner(v): if request.headers.get("cf-ipcountry") == "T1": abort(403, "Image uploads are not allowed through TOR.") @@ -535,8 +535,8 @@ def settings_css_get(v): @app.post("/settings/css") @limiter.limit(DEFAULT_RATELIMIT_SLOWER) -@ratelimit_user() @auth_required +@ratelimit_user() def settings_css(v): if v.agendaposter: abort(400, "Agendapostered users can't edit CSS!") css = request.values.get("css", v.css).strip().replace('\\', '').strip()[:4000] @@ -549,8 +549,8 @@ def settings_css(v): @app.post("/settings/profilecss") @limiter.limit(DEFAULT_RATELIMIT_SLOWER) -@ratelimit_user() @auth_required +@ratelimit_user() def settings_profilecss(v): profilecss = request.values.get("profilecss", v.profilecss).strip().replace('\\', '').strip()[:4000] valid, error = validate_css(profilecss) @@ -598,8 +598,8 @@ def settings_block_user(v): @app.post("/settings/unblock") @limiter.limit(DEFAULT_RATELIMIT_SLOWER) -@ratelimit_user() @auth_required +@ratelimit_user() def settings_unblock_user(v): user = get_user(request.values.get("username")) x = v.has_blocked(user) @@ -622,8 +622,8 @@ def settings_advanced_get(v): @app.post("/settings/name_change") @limiter.limit(DEFAULT_RATELIMIT_SLOWER) -@ratelimit_user() @is_not_permabanned +@ratelimit_user() def settings_name_change(v): new_name=request.values.get("name").strip() @@ -764,8 +764,8 @@ def settings_song_change(v): @app.post("/settings/title_change") @limiter.limit(DEFAULT_RATELIMIT_SLOWER) -@ratelimit_user() @auth_required +@ratelimit_user() def settings_title_change(v): if v.flairchanged: abort(403) @@ -788,8 +788,8 @@ def settings_title_change(v): @app.post("/settings/pronouns_change") @limiter.limit(DEFAULT_RATELIMIT_SLOWER) -@ratelimit_user() @auth_required +@ratelimit_user() @feature_required('PRONOUNS') def settings_pronouns_change(v): pronouns = sanitize_settings_text(request.values.get("pronouns")) @@ -815,8 +815,8 @@ def settings_pronouns_change(v): @app.post("/settings/checkmark_text") @limiter.limit(DEFAULT_RATELIMIT_SLOWER) -@ratelimit_user() @auth_required +@ratelimit_user() def settings_checkmark_text(v): if not v.verified: abort(403) new_name = sanitize_settings_text(request.values.get("checkmark-text"), 100) diff --git a/files/routes/subs.py b/files/routes/subs.py index 2518471d0..7521451a8 100644 --- a/files/routes/subs.py +++ b/files/routes/subs.py @@ -387,8 +387,8 @@ def sub_settings(v, sub): @app.post('/h//sidebar') @limiter.limit(DEFAULT_RATELIMIT_SLOWER) -@ratelimit_user() @is_not_permabanned +@ratelimit_user() def post_sub_sidebar(v, sub): sub = get_sub_by_name(sub) if not v.mods(sub.name): abort(403) @@ -412,8 +412,8 @@ def post_sub_sidebar(v, sub): @app.post('/h//css') @limiter.limit(DEFAULT_RATELIMIT_SLOWER) -@ratelimit_user() @is_not_permabanned +@ratelimit_user() def post_sub_css(v, sub): sub = get_sub_by_name(sub) css = request.values.get('css', '').strip() diff --git a/files/routes/users.py b/files/routes/users.py index 5c15cf381..c07def4c8 100644 --- a/files/routes/users.py +++ b/files/routes/users.py @@ -313,15 +313,15 @@ def transfer_currency(v:User, username:str, currency_name:Literal['coins', 'proc @app.post("/@/transfer_coins") @limiter.limit(DEFAULT_RATELIMIT_SLOWER) -@ratelimit_user() @is_not_permabanned +@ratelimit_user() def transfer_coins(v, username): return transfer_currency(v, username, 'coins', True) @app.post("/@/transfer_bux") @limiter.limit(DEFAULT_RATELIMIT_SLOWER) -@ratelimit_user() @is_not_permabanned +@ratelimit_user() @feature_required('PROCOINS') def transfer_bux(v, username): return transfer_currency(v, username, 'procoins', False) @@ -393,8 +393,8 @@ def song(song): @app.post("/subscribe/") @limiter.limit(DEFAULT_RATELIMIT_SLOWER) -@ratelimit_user() @auth_required +@ratelimit_user() def subscribe(v, post_id): existing = g.db.query(Subscription).filter_by(user_id=v.id, submission_id=post_id).one_or_none() if not existing: @@ -404,8 +404,8 @@ def subscribe(v, post_id): @app.post("/unsubscribe/") @limiter.limit(DEFAULT_RATELIMIT_SLOWER) -@ratelimit_user() @auth_required +@ratelimit_user() def unsubscribe(v, post_id): existing = g.db.query(Subscription).filter_by(user_id=v.id, submission_id=post_id).one_or_none() if existing: @@ -832,8 +832,8 @@ def u_user_id_info(id, v=None): @app.post("/follow/") @limiter.limit(DEFAULT_RATELIMIT_SLOWER) -@ratelimit_user() @auth_required +@ratelimit_user() def follow_user(username, v): target = get_user(username, v=v, include_shadowbanned=False) @@ -859,8 +859,8 @@ def follow_user(username, v): @app.post("/unfollow/") @limiter.limit(DEFAULT_RATELIMIT_SLOWER) -@ratelimit_user() @auth_required +@ratelimit_user() def unfollow_user(username, v): target = get_user(username) @@ -887,8 +887,8 @@ def unfollow_user(username, v): @app.post("/remove_follow/") @limiter.limit(DEFAULT_RATELIMIT_SLOWER) -@ratelimit_user() @auth_required +@ratelimit_user() def remove_follow(username, v): target = get_user(username)