rDrama
/
rDrama
9
10
Fork 7
Code Issues Pull Requests Packages Releases Wiki Activity

security: don't leak comment contents for removed/deleted comments

remotes/1693176582716663532/tmp_refs/heads/watchparty
justcool393 2022-10-04 16:51:42 -07:00 committed by GitHub
parent 31725a0684
commit 93fb4f40d6
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
files/classes/comment.py
View File

@ -330,6 +330,8 @@ class Comment(Base):
def realbody(self, v):
if self.post and self.post.club and not (v and (v.paid_dues or v.id in [self.author_id, self.post.author_id] or (self.parent_comment and v.id == self.parent_comment.author_id))):
return f"<p>{CC} ONLY</p>"
if self.deleted_utc != 0 and not (v and (v.admin_level >= 2) or v.id == self.author.id): return "[Deleted by user]"
if self.is_banned and not (v and v.admin_level >= 2): return "[Removed by admins]";
body = self.body_html or ""
@ -395,6 +397,8 @@ class Comment(Base):
def plainbody(self, v):
if self.post and self.post.club and not (v and (v.paid_dues or v.id in [self.author_id, self.post.author_id] or (self.parent_comment and v.id == self.parent_comment.author_id))):
return f"{CC} ONLY"
if self.deleted_utc != 0 and not (v and (v.admin_level >= 2) or v.id == self.author.id): return "[Deleted by user]"
if self.is_banned and not (v and v.admin_level >= 2): return "[Removed by admins]";
body = self.body