From 9e1425d93e7d8457a09c8c94b3660f707b148446 Mon Sep 17 00:00:00 2001
From: Aevann1 <randomname42029@gmail.com>
Date: Sat, 3 Dec 2022 00:06:57 +0200
Subject: [PATCH] make it so only the post author can declare winner and not
 all admins

---
 files/classes/submission.py | 2 +-
 files/helpers/const.py      | 1 -
 files/routes/admin.py       | 5 ++++-
 3 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/files/classes/submission.py b/files/classes/submission.py
index 22307759e..8be7ae26d 100644
--- a/files/classes/submission.py
+++ b/files/classes/submission.py
@@ -301,7 +301,7 @@ class Submission(Base):
 				if o.exclusive == 3:
 					body += " - <b>WINNER!</b>"
 				
-				if not winner and v and v.admin_level >= PERMS['POST_BETS_DISTRIBUTE']:
+				if not winner and v and v.id == self.author_id:
 					body += f'''<button class="btn btn-primary distribute" data-click2="postToastReload(this,'/distribute/{o.id}')" onclick="areyousure(this)">Declare winner</button>'''
 				body += "</div>"
 			else:
diff --git a/files/helpers/const.py b/files/helpers/const.py
index 96ece78bc..44200865e 100644
--- a/files/helpers/const.py
+++ b/files/helpers/const.py
@@ -249,7 +249,6 @@ PERMS = { # Minimum admin_level to perform action.
 	'POST_TO_CHANGELOG': 1, # note: code contributors can also post to changelog
 	'POST_TO_POLL_THREAD': 2,
 	'POST_BETS': 3,
-	'POST_BETS_DISTRIBUTE': 3, # probably should be the same as POST_BETS but w/e
 	'VIEW_PENDING_SUBMITTED_MARSEYS': 3,
 	'VIEW_PENDING_SUBMITTED_HATS': 3,
 	'MODERATE_PENDING_SUBMITTED_MARSEYS': 3, # note: there is an extra check so that only """carp""" can approve them
diff --git a/files/routes/admin.py b/files/routes/admin.py
index e68d343b7..836e5b8fc 100644
--- a/files/routes/admin.py
+++ b/files/routes/admin.py
@@ -191,7 +191,7 @@ def remove_admin(v, username):
 
 @app.post("/distribute/<option_id>")
 @limiter.limit(DEFAULT_RATELIMIT_SLOWER)
-@admin_level_required(PERMS['POST_BETS_DISTRIBUTE'])
+@auth_required
 def distribute(v, option_id):
 	autojanny = get_account(AUTOJANNY_ID)
 	if autojanny.coins == 0: abort(400, "@AutoJanny has 0 coins")
@@ -209,6 +209,9 @@ def distribute(v, option_id):
 
 	post = option.post
 
+	if v.id != post.author_id:
+		abort(403, "Only the post author can declare the winning bet!")
+
 	pool = 0
 	for o in post.options:
 		if o.exclusive >= 2: pool += o.upvotes