diff --git a/.gitignore b/.gitignore index a3c077c10..f84c98ea3 100644 --- a/.gitignore +++ b/.gitignore @@ -3,7 +3,8 @@ video.mp4 video.webm cache/ __pycache__/ -disablesignups +disable_signups +under_attack .idea/ **/.pytest_cache/ venv/ diff --git a/disablesignups b/disablesignups deleted file mode 100644 index 54299a48f..000000000 --- a/disablesignups +++ /dev/null @@ -1 +0,0 @@ -no \ No newline at end of file diff --git a/docker-compose.yml b/docker-compose.yml index 6f61ea300..c841da7e6 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -43,6 +43,8 @@ services: - MAIL_USERNAME=blahblahblah@gmail.com - MAIL_PASSWORD=3435tdfsdudebussylmaoxxt43 - DESCRIPTION=rdrama.net caters to drama in all forms such as Real life, videos, photos, gossip, rumors, news sites, Reddit, and Beyond™. There isn't drama we won't touch, and we want it all! + - CF_KEY=3435tdfsdudebussylmaoxxt43 + - CF_ZONE=3435tdfsdudebussylmaoxxt43 links: - "redis" - "postgres" diff --git a/env b/env index 9905cc15d..96faafb90 100644 --- a/env +++ b/env @@ -31,4 +31,6 @@ export DEFAULT_THEME="midnight" export DEFAULT_COLOR="ff66ac" # YOU HAVE TO PICK ONE OF THOSE COLORS OR SHIT WILL BREAK: ff66ac, 805ad5, 62ca56, 38a169, 80ffff, 2a96f3, eb4963, ff0000, f39731, 30409f, 3e98a7, e4432d, 7b9ae4, ec72de, 7f8fa6, f8db58 export MAIL_USERNAME="blahblahblah@gmail.com" export MAIL_PASSWORD="3435tdfsdudebussylmaoxxt43" -export DESCRIPTION="rdrama.net caters to drama in all forms such as: Real life, videos, photos, gossip, rumors, news sites, Reddit, and Beyond™. There isn't drama we won't touch, and we want it all!" \ No newline at end of file +export DESCRIPTION="rdrama.net caters to drama in all forms such as: Real life, videos, photos, gossip, rumors, news sites, Reddit, and Beyond™. There isn't drama we won't touch, and we want it all!" +export CF_KEY="3435tdfsdudebussylmaoxxt43" +export CF_ZONE="3435tdfsdudebussylmaoxxt43" \ No newline at end of file diff --git a/files/classes/mod_logs.py b/files/classes/mod_logs.py index 95e0002b9..e4ddf342a 100644 --- a/files/classes/mod_logs.py +++ b/files/classes/mod_logs.py @@ -174,6 +174,16 @@ ACTIONTYPES={ "icon": "fa-user", "color": "bg-success", }, + "disable_under_attack": { + "str": "disabled under attack mode", + "icon": "fa-shield", + "color": "bg-success", + }, + "enable_under_attack": { + "str": "enabled under attack mode", + "icon": "fa-shield", + "color": "bg-danger", + }, "ban_user":{ "str":'banned user {self.target_link}', "icon":"fa-user-slash", diff --git a/files/helpers/wrappers.py b/files/helpers/wrappers.py index 01e453230..e76e82ba2 100644 --- a/files/helpers/wrappers.py +++ b/files/helpers/wrappers.py @@ -23,8 +23,13 @@ def get_logged_in_user(): v = g.db.query(User).filter_by(id=lo_user).one_or_none() if not v or nonce < v.login_nonce: return None - v.client = None + + if request.method != "GET": + submitted_key = request.values.get("formkey") + if not submitted_key: abort(401) + elif not v.validate_formkey(submitted_key): abort(401) + return v def check_ban_evade(v): @@ -110,21 +115,4 @@ def admin_level_required(x): wrapper.__name__ = f.__name__ return wrapper - return wrapper_maker - - -def validate_formkey(f): - def wrapper(*args, v, **kwargs): - - if not request.headers.get("Authorization"): - - submitted_key = request.values.get("formkey", None) - - if not submitted_key: abort(401) - - elif not v.validate_formkey(submitted_key): abort(401) - - return f(*args, v=v, **kwargs) - - wrapper.__name__ = f.__name__ - return wrapper \ No newline at end of file + return wrapper_maker \ No newline at end of file diff --git a/files/mail/__init__.py b/files/mail/__init__.py index cc41e10f7..64388e68a 100644 --- a/files/mail/__init__.py +++ b/files/mail/__init__.py @@ -43,7 +43,6 @@ def send_verification_email(user, email=None): @app.post("/verify_email") @limiter.limit("1/second") @auth_required -@validate_formkey def api_verify_email(v): send_verification_email(v) diff --git a/files/routes/admin.py b/files/routes/admin.py index 32e35463d..4fec5cb97 100644 --- a/files/routes/admin.py +++ b/files/routes/admin.py @@ -23,14 +23,18 @@ SITE_NAME = environ.get("SITE_NAME", "").strip() GUMROAD_ID = environ.get("GUMROAD_ID", "tfcvri").strip() GUMROAD_TOKEN = environ.get("GUMROAD_TOKEN", "").strip() +CF_KEY = environ.get("CF_KEY", "").strip() +CF_ZONE = environ.get("CF_ZONE", "").strip() +CF_HEADERS = {"Authorization": f"Bearer {CF_KEY}", "Content-Type": "application/json"} + if SITE_NAME == 'PCM': cc = "splash mountain" else: cc = "country club" month = datetime.now().strftime('%B') + @app.post("/@/make_admin") @limiter.limit("1/second") @admin_level_required(3) -@validate_formkey def make_admin(v, username): if request.host == 'rdrama.net': abort(403) user = get_user(username) @@ -44,7 +48,6 @@ def make_admin(v, username): @app.post("/@/remove_admin") @limiter.limit("1/second") @admin_level_required(3) -@validate_formkey def remove_admin(v, username): user = get_user(username) if not user: abort(404) @@ -91,7 +94,6 @@ def distribute(v, comment): @app.post("/@/revert_actions") @limiter.limit("1/second") @admin_level_required(3) -@validate_formkey def revert_actions(v, username): user = get_user(username) if not user: abort(404) @@ -130,7 +132,6 @@ def revert_actions(v, username): @app.post("/@/club_allow") @limiter.limit("1/second") @admin_level_required(2) -@validate_formkey def club_allow(v, username): u = get_user(username, v=v) @@ -152,7 +153,6 @@ def club_allow(v, username): @app.post("/@/club_ban") @limiter.limit("1/second") @admin_level_required(2) -@validate_formkey def club_ban(v, username): u = get_user(username, v=v) @@ -174,7 +174,6 @@ def club_ban(v, username): @app.post("/@/make_meme_admin") @limiter.limit("1/second") @admin_level_required(2) -@validate_formkey def make_meme_admin(v, username): if request.host == 'pcmemes.net' or (SITE_NAME == 'Drama' and v.admin_level > 2) or (request.host != 'rdrama.net' and request.host != 'pcmemes.net'): user = get_user(username) @@ -188,7 +187,6 @@ def make_meme_admin(v, username): @app.post("/@/remove_meme_admin") @limiter.limit("1/second") @admin_level_required(2) -@validate_formkey def remove_meme_admin(v, username): if request.host == 'pcmemes.net' or (SITE_NAME == 'Drama' and v.admin_level > 2) or (request.host != 'rdrama.net' and request.host != 'pcmemes.net'): user = get_user(username) @@ -202,7 +200,6 @@ def remove_meme_admin(v, username): @app.post("/admin/monthly") @limiter.limit("1/day") @admin_level_required(3) -@validate_formkey def monthly(v): if request.host == 'rdrama.net' and v.id != AEVANN_ID: abort (403) @@ -247,7 +244,6 @@ def get_sidebar(v): @app.post('/admin/sidebar') @limiter.limit("1/second") @admin_level_required(3) -@validate_formkey def post_sidebar(v): text = request.values.get('sidebar', '').strip() @@ -351,21 +347,21 @@ def reported_comments(v): @admin_level_required(2) def admin_home(v): - with open('disablesignups', 'r') as f: x = f.read() + with open('disable_signups', 'r') as f: x = f.read() + with open('under_attack', 'r') as f: x2 = f.read() - if not v or v.oldsite: return render_template("admin/admin_home.html", v=v, x=x) + if not v or v.oldsite: return render_template("admin/admin_home.html", v=v, x=x, x2=x2) actions = g.db.query(ModAction).order_by(ModAction.id.desc()).limit(10).all() - return render_template("CHRISTMAS/admin/admin_home.html", actions=actions, v=v, x=x) + return render_template("CHRISTMAS/admin/admin_home.html", actions=actions, v=v, x=x, x2=x2) -@app.post("/admin/disablesignups") +@app.post("/admin/disable_signups") @admin_level_required(3) -@validate_formkey -def disablesignups(v): - with open('disablesignups', 'r') as f: content = f.read() +def disable_signups(v): + with open('disable_signups', 'r') as f: content = f.read() - with open('disablesignups', 'w') as f: + with open('disable_signups', 'w') as f: if content == "yes": f.write("no") ma = ModAction( @@ -385,6 +381,35 @@ def disablesignups(v): g.db.commit() return {"message": "Signups disabled!"} + +@app.post("/admin/under_attack") +@admin_level_required(2) +def under_attack(v): + with open('under_attack', 'r') as f: content = f.read() + + with open('under_attack', 'w') as f: + if content == "yes": + f.write("no") + ma = ModAction( + kind="disable_under_attack", + user_id=v.id, + ) + g.db.add(ma) + g.db.commit() + data='{"value":"high"}' + else: + f.write("yes") + ma = ModAction( + kind="enable_under_attack", + user_id=v.id, + ) + g.db.add(ma) + g.db.commit() + data='{"value":"under_attack"}' + + response = requests.patch(f'https://api.cloudflare.com/client/v4/zones/{CF_ZONE}/settings/security_level', headers=CF_HEADERS, data=data) + return {"message": response.text} + @app.get("/admin/badge_grant") @admin_level_required(2) def badge_grant_get(v): @@ -397,7 +422,6 @@ def badge_grant_get(v): @app.post("/admin/badge_grant") @limiter.limit("1/second") @admin_level_required(2) -@validate_formkey def badge_grant_post(v): if not v or v.oldsite: template = '' else: template = 'CHRISTMAS/' @@ -571,7 +595,6 @@ def alt_votes_get(v): @app.post("/admin/link_accounts") @limiter.limit("1/second") @admin_level_required(2) -@validate_formkey def admin_link_accounts(v): u1 = int(request.values.get("u1")) @@ -643,7 +666,6 @@ def admin_removed_comments(v): @app.post("/agendaposter/") @admin_level_required(2) -@validate_formkey def agendaposter(user_id, v): user = g.db.query(User).filter_by(id=user_id).one_or_none() @@ -700,7 +722,6 @@ def agendaposter(user_id, v): @app.post("/shadowban/") @limiter.limit("1/second") @admin_level_required(2) -@validate_formkey def shadowban(user_id, v): user = g.db.query(User).filter_by(id=user_id).one_or_none() if user.admin_level != 0: abort(403) @@ -726,7 +747,6 @@ def shadowban(user_id, v): @app.post("/unshadowban/") @limiter.limit("1/second") @admin_level_required(2) -@validate_formkey def unshadowban(user_id, v): user = g.db.query(User).filter_by(id=user_id).one_or_none() if user.admin_level != 0: abort(403) @@ -753,7 +773,6 @@ def unshadowban(user_id, v): @app.post("/admin/verify/") @limiter.limit("1/second") @admin_level_required(2) -@validate_formkey def verify(user_id, v): user = g.db.query(User).filter_by(id=user_id).one_or_none() user.verified = "Verified" @@ -772,7 +791,6 @@ def verify(user_id, v): @app.post("/admin/unverify/") @limiter.limit("1/second") @admin_level_required(2) -@validate_formkey def unverify(user_id, v): user = g.db.query(User).filter_by(id=user_id).one_or_none() user.verified = None @@ -792,7 +810,6 @@ def unverify(user_id, v): @app.post("/admin/title_change/") @limiter.limit("1/second") @admin_level_required(2) -@validate_formkey def admin_title_change(user_id, v): user = g.db.query(User).filter_by(id=user_id).one_or_none() @@ -826,7 +843,6 @@ def admin_title_change(user_id, v): @app.post("/ban_user/") @limiter.limit("1/second") @admin_level_required(2) -@validate_formkey def ban_user(user_id, v): user = g.db.query(User).filter_by(id=user_id).one_or_none() @@ -886,7 +902,6 @@ def ban_user(user_id, v): @app.post("/unban_user/") @limiter.limit("1/second") @admin_level_required(2) -@validate_formkey def unban_user(user_id, v): user = g.db.query(User).filter_by(id=user_id).one_or_none() @@ -926,7 +941,6 @@ def unban_user(user_id, v): @app.post("/ban_post/") @limiter.limit("1/second") @admin_level_required(2) -@validate_formkey def ban_post(post_id, v): post = g.db.query(Submission).filter_by(id=post_id).one_or_none() @@ -963,7 +977,6 @@ def ban_post(post_id, v): @app.post("/unban_post/") @limiter.limit("1/second") @admin_level_required(2) -@validate_formkey def unban_post(post_id, v): post = g.db.query(Submission).filter_by(id=post_id).one_or_none() @@ -996,7 +1009,6 @@ def unban_post(post_id, v): @app.post("/distinguish/") @admin_level_required(1) -@validate_formkey def api_distinguish_post(post_id, v): post = g.db.query(Submission).filter_by(id=post_id).one_or_none() @@ -1022,7 +1034,6 @@ def api_distinguish_post(post_id, v): @app.post("/sticky/") @admin_level_required(2) -@validate_formkey def sticky_post(post_id, v): post = g.db.query(Submission).filter_by(id=post_id).one_or_none() @@ -1045,7 +1056,6 @@ def sticky_post(post_id, v): @app.post("/unsticky/") @admin_level_required(2) -@validate_formkey def unsticky_post(post_id, v): post = g.db.query(Submission).filter_by(id=post_id).one_or_none() @@ -1072,7 +1082,6 @@ def unsticky_post(post_id, v): @app.post("/sticky_comment/") @admin_level_required(2) -@validate_formkey def sticky_comment(cid, v): comment = get_comment(cid, v=v) @@ -1089,7 +1098,6 @@ def sticky_comment(cid, v): @app.post("/unsticky_comment/") @admin_level_required(2) -@validate_formkey def unsticky_comment(cid, v): comment = get_comment(cid, v=v) @@ -1117,7 +1125,6 @@ def unsticky_comment(cid, v): @app.post("/ban_comment/") @limiter.limit("1/second") @admin_level_required(2) -@validate_formkey def api_ban_comment(c_id, v): comment = g.db.query(Comment).filter_by(id=c_id).one_or_none() @@ -1141,7 +1148,6 @@ def api_ban_comment(c_id, v): @app.post("/unban_comment/") @limiter.limit("1/second") @admin_level_required(2) -@validate_formkey def api_unban_comment(c_id, v): comment = g.db.query(Comment).filter_by(id=c_id).one_or_none() @@ -1170,7 +1176,6 @@ def api_unban_comment(c_id, v): @app.post("/distinguish_comment/") @admin_level_required(1) -@validate_formkey def admin_distinguish_comment(c_id, v): @@ -1205,7 +1210,6 @@ def admin_banned_domains(v): @app.post("/admin/banned_domains") @limiter.limit("1/second") @admin_level_required(2) -@validate_formkey def admin_toggle_ban_domain(v): domain=request.values.get("domain", "").strip() @@ -1241,7 +1245,6 @@ def admin_toggle_ban_domain(v): @app.post("/admin/nuke_user") @limiter.limit("1/second") @admin_level_required(2) -@validate_formkey def admin_nuke_user(v): user=get_user(request.values.get("user")) @@ -1275,7 +1278,6 @@ def admin_nuke_user(v): @app.post("/admin/unnuke_user") @limiter.limit("1/second") @admin_level_required(2) -@validate_formkey def admin_nunuke_user(v): user=get_user(request.values.get("user")) diff --git a/files/routes/awards.py b/files/routes/awards.py index ce4ed3809..e0449a4eb 100644 --- a/files/routes/awards.py +++ b/files/routes/awards.py @@ -84,7 +84,6 @@ def shop(v): @app.post("/buy/") @auth_required -@validate_formkey def buy(v, award): AWARDS = deepcopy(AWARDS2) @@ -181,7 +180,6 @@ def buy(v, award): @app.post("/post//awards") @limiter.limit("1/second") @auth_required -@validate_formkey def award_post(pid, v): if v.shadowbanned: return render_template('errors/500.html', error=True, v=v), 500 @@ -365,7 +363,6 @@ def award_post(pid, v): @app.post("/comment//awards") @limiter.limit("1/second") @auth_required -@validate_formkey def award_comment(cid, v): if v.shadowbanned: return render_template('errors/500.html', error=True, v=v), 500 @@ -556,7 +553,6 @@ def admin_userawards_get(v): @app.post("/admin/awards") @limiter.limit("1/second") @admin_level_required(2) -@validate_formkey def admin_userawards_post(v): if not v or v.oldsite: template = '' else: template = 'CHRISTMAS/' diff --git a/files/routes/comments.py b/files/routes/comments.py index 9332a7fb6..4fa296af8 100644 --- a/files/routes/comments.py +++ b/files/routes/comments.py @@ -136,7 +136,6 @@ def post_pid_comment_cid(cid, pid=None, anything=None, v=None): @limiter.limit("1/second") @limiter.limit("6/minute") @auth_required -@validate_formkey def api_comment(v): if v.is_suspended: return {"error": "You can't perform this action while banned."}, 403 @@ -549,7 +548,6 @@ def api_comment(v): @app.post("/edit_comment/") @limiter.limit("1/second") @auth_required -@validate_formkey def edit_comment(cid, v): if v and v.patron: if request.content_length > 8 * 1024 * 1024: return {"error":"Max file size is 8 MB."}, 413 @@ -739,7 +737,6 @@ def edit_comment(cid, v): @app.post("/delete/comment/") @limiter.limit("1/second") @auth_required -@validate_formkey def delete_comment(cid, v): c = g.db.query(Comment).filter_by(id=cid).one_or_none() @@ -761,7 +758,6 @@ def delete_comment(cid, v): @app.post("/undelete/comment/") @limiter.limit("1/second") @auth_required -@validate_formkey def undelete_comment(cid, v): c = g.db.query(Comment).filter_by(id=cid).one_or_none() @@ -785,7 +781,6 @@ def undelete_comment(cid, v): @app.post("/pin_comment/") @auth_required -@validate_formkey def pin_comment(cid, v): comment = get_comment(cid, v=v) @@ -806,7 +801,6 @@ def pin_comment(cid, v): @app.post("/unpin_comment/") @auth_required -@validate_formkey def unpin_comment(cid, v): comment = get_comment(cid, v=v) @@ -828,7 +822,6 @@ def unpin_comment(cid, v): @app.post("/save_comment/") @limiter.limit("1/second") @auth_required -@validate_formkey def save_comment(cid, v): comment=get_comment(cid) @@ -847,7 +840,6 @@ def save_comment(cid, v): @app.post("/unsave_comment/") @limiter.limit("1/second") @auth_required -@validate_formkey def unsave_comment(cid, v): comment=get_comment(cid) diff --git a/files/routes/errors.py b/files/routes/errors.py index 4d9a76807..51c54c96b 100644 --- a/files/routes/errors.py +++ b/files/routes/errors.py @@ -1,5 +1,3 @@ -import jinja2.exceptions - from files.helpers.wrappers import * from flask import * from urllib.parse import quote, urlencode @@ -8,10 +6,9 @@ from files.__main__ import app, limiter @app.errorhandler(400) -@auth_desired -def error_400(e, v): +def error_400(e): if request.headers.get("Authorization"): return {"error": "400 Bad Request"}, 400 - else: return render_template('errors/400.html', error=True, v=v), 400 + else: return render_template('errors/400.html', error=True), 400 @app.errorhandler(401) def error_401(e): @@ -26,40 +23,35 @@ def error_401(e): @app.errorhandler(403) -@auth_desired -def error_403(e, v): +def error_403(e): if request.headers.get("Authorization"): return {"error": "403 Forbidden"}, 403 - else: return render_template('errors/403.html', error=True, v=v), 403 + else: return render_template('errors/403.html', error=True), 403 @app.errorhandler(404) -@auth_desired -def error_404(e, v): +def error_404(e): if request.headers.get("Authorization"): return {"error": "404 Not Found"}, 404 - else: return render_template('errors/404.html', error=True, v=v), 404 + else: return render_template('errors/404.html', error=True), 404 @app.errorhandler(405) -@auth_desired -def error_405(e, v): +def error_405(e): if request.headers.get("Authorization"): return {"error": "405 Method Not Allowed"}, 405 - else: return render_template('errors/405.html', error=True, v=v), 405 + else: return render_template('errors/405.html', error=True), 405 @app.errorhandler(429) -@auth_desired -def error_429(e, v): +def error_429(e): if request.headers.get("Authorization"): return {"error": "429 Too Many Requests"}, 429 - else: return render_template('errors/429.html', error=True, v=v), 429 + else: return render_template('errors/429.html', error=True), 429 @app.errorhandler(500) -@auth_desired -def error_500(e, v): +def error_500(e): g.db.rollback() if request.headers.get("Authorization"): return {"error": "500 Internal Server Error"}, 500 - else: return render_template('errors/500.html', error=True, v=v), 500 + else: return render_template('errors/500.html', error=True), 500 @app.post("/allow_nsfw") @@ -69,11 +61,7 @@ def allow_nsfw(): @app.get("/error/") -@auth_desired -def error_all_preview(error, v): - - try: - return render_template(f"errors/{error}.html", error=True, v=v) - except jinja2.exceptions.TemplateNotFound: - abort(400) +def error_all_preview(error): + try: return render_template(f"errors/{error}.html", error=True) + except: abort(400) \ No newline at end of file diff --git a/files/routes/front.py b/files/routes/front.py index 6f2094243..50f448979 100644 --- a/files/routes/front.py +++ b/files/routes/front.py @@ -12,7 +12,6 @@ def slash_post(): @app.post("/clear") @auth_required -@validate_formkey def clear(v): for n in v.notifications.filter_by(read=False).all(): n.read = True diff --git a/files/routes/login.py b/files/routes/login.py index 4d8d6c229..10718e296 100644 --- a/files/routes/login.py +++ b/files/routes/login.py @@ -158,7 +158,6 @@ def me(v): @app.post("/logout") @limiter.limit("1/second") @auth_required -@validate_formkey def logout(v): session.pop("session_id", None) @@ -170,7 +169,7 @@ def logout(v): @app.get("/signup") @auth_desired def sign_up_get(v): - with open('disablesignups', 'r') as f: + with open('disable_signups', 'r') as f: if f.read() == "yes": return {"error": "New account registration is currently closed. Please come back later."}, 403 if v: return redirect("/") @@ -215,7 +214,7 @@ def sign_up_get(v): @limiter.limit("5/day") @auth_desired def sign_up_post(v): - with open('disablesignups', 'r') as f: + with open('disable_signups', 'r') as f: if f.read() == "yes": return {"error": "New account registration is currently closed. Please come back later."}, 403 if v: abort(403) diff --git a/files/routes/oauth.py b/files/routes/oauth.py index f52a454b4..b1377e3c2 100644 --- a/files/routes/oauth.py +++ b/files/routes/oauth.py @@ -21,7 +21,6 @@ def authorize_prompt(v): @app.post("/authorize") @limiter.limit("1/second") @auth_required -@validate_formkey def authorize(v): client_id = request.values.get("client_id") @@ -40,7 +39,6 @@ def authorize(v): @app.post("/api_keys") @limiter.limit("1/second") @is_not_permabanned -@validate_formkey def request_api_keys(v): new_app = OauthApp( @@ -62,7 +60,6 @@ def request_api_keys(v): @app.post("/delete_app/") @limiter.limit("1/second") @auth_required -@validate_formkey def delete_oauth_app(v, aid): aid = int(aid) @@ -83,7 +80,6 @@ def delete_oauth_app(v, aid): @app.post("/edit_app/") @limiter.limit("1/second") @is_not_permabanned -@validate_formkey def edit_oauth_app(v, aid): aid = int(aid) @@ -105,7 +101,6 @@ def edit_oauth_app(v, aid): @app.post("/admin/app/approve/") @limiter.limit("1/second") @admin_level_required(2) -@validate_formkey def admin_app_approve(v, aid): app = g.db.query(OauthApp).filter_by(id=aid).one_or_none() @@ -140,7 +135,6 @@ def admin_app_approve(v, aid): @app.post("/admin/app/revoke/") @limiter.limit("1/second") @admin_level_required(2) -@validate_formkey def admin_app_revoke(v, aid): app = g.db.query(OauthApp).filter_by(id=aid).one_or_none() @@ -166,7 +160,6 @@ def admin_app_revoke(v, aid): @app.post("/admin/app/reject/") @limiter.limit("1/second") @admin_level_required(2) -@validate_formkey def admin_app_reject(v, aid): app = g.db.query(OauthApp).filter_by(id=aid).one_or_none() @@ -262,7 +255,6 @@ def admin_apps_list(v): @app.post("/oauth/reroll/") @limiter.limit("1/second") @auth_required -@validate_formkey def reroll_oauth_tokens(aid, v): aid = aid diff --git a/files/routes/posts.py b/files/routes/posts.py index 05a2dcea3..ee5a53f3f 100644 --- a/files/routes/posts.py +++ b/files/routes/posts.py @@ -49,7 +49,6 @@ def toggle_club(pid, v): @app.post("/publish/") @limiter.limit("1/second") @auth_required -@validate_formkey def publish(pid, v): post = get_post(pid) if not post.author_id == v.id: abort(403) @@ -393,7 +392,6 @@ def morecomments(v, cid): @app.post("/edit_post/") @limiter.limit("1/second") @auth_required -@validate_formkey def edit_post(pid, v): if v and v.patron: if request.content_length > 8 * 1024 * 1024: return {"error":"Max file size is 8 MB."}, 413 @@ -683,7 +681,6 @@ def thumbnail_thread(pid): @limiter.limit("1/second") @limiter.limit("6/minute") @auth_required -@validate_formkey def submit_post(v): if v.is_suspended: return {"error": "You can't perform this action while banned."}, 403 @@ -1144,7 +1141,6 @@ def submit_post(v): @app.post("/delete_post/") @limiter.limit("2/second") @auth_required -@validate_formkey def delete_post_pid(pid, v): post = get_post(pid) @@ -1166,7 +1162,6 @@ def delete_post_pid(pid, v): @app.post("/undelete_post/") @limiter.limit("1/second") @auth_required -@validate_formkey def undelete_post_pid(pid, v): post = get_post(pid) if not post.author_id == v.id: abort(403) @@ -1182,7 +1177,6 @@ def undelete_post_pid(pid, v): @app.post("/toggle_comment_nsfw/") @auth_required -@validate_formkey def toggle_comment_nsfw(cid, v): comment = g.db.query(Comment).filter_by(id=cid).one_or_none() @@ -1197,7 +1191,6 @@ def toggle_comment_nsfw(cid, v): @app.post("/toggle_post_nsfw/") @auth_required -@validate_formkey def toggle_post_nsfw(pid, v): post = get_post(pid) @@ -1224,7 +1217,6 @@ def toggle_post_nsfw(pid, v): @app.post("/save_post/") @limiter.limit("1/second") @auth_required -@validate_formkey def save_post(pid, v): post=get_post(pid) @@ -1241,7 +1233,6 @@ def save_post(pid, v): @app.post("/unsave_post/") @limiter.limit("1/second") @auth_required -@validate_formkey def unsave_post(pid, v): post=get_post(pid) diff --git a/files/routes/reporting.py b/files/routes/reporting.py index 54d1d67fe..3180b3b26 100644 --- a/files/routes/reporting.py +++ b/files/routes/reporting.py @@ -8,7 +8,6 @@ from files.helpers.sanitize import filter_emojis_only @app.post("/report/post/") @limiter.limit("1/second") @auth_required -@validate_formkey def api_flag_post(pid, v): post = get_post(pid) @@ -39,7 +38,6 @@ def api_flag_post(pid, v): @app.post("/report/comment/") @limiter.limit("1/second") @auth_required -@validate_formkey def api_flag_comment(cid, v): comment = get_comment(cid) @@ -64,7 +62,6 @@ def api_flag_comment(cid, v): @app.post('/del_report/') @limiter.limit("1/second") @admin_level_required(2) -@validate_formkey def remove_report(report_fn, v): if report_fn.startswith('c'): diff --git a/files/routes/settings.py b/files/routes/settings.py index be1651fb9..431332e26 100644 --- a/files/routes/settings.py +++ b/files/routes/settings.py @@ -37,7 +37,6 @@ tiers={ @app.post("/settings/removebackground") @limiter.limit("1/second") @auth_required -@validate_formkey def removebackground(v): v.background = None g.db.add(v) @@ -47,7 +46,6 @@ def removebackground(v): @app.post("/settings/profile") @limiter.limit("1/second") @auth_required -@validate_formkey def settings_profile_post(v): if v and v.patron: if request.content_length > 8 * 1024 * 1024: return {"error":"Max file size is 8 MB."}, 413 @@ -431,7 +429,6 @@ def settings_profile_post(v): @app.post("/settings/filters") @auth_required -@validate_formkey def filters(v): filters=request.values.get("filters")[:1000].strip() @@ -449,7 +446,6 @@ def filters(v): @app.post("/changelogsub") @auth_required -@validate_formkey def changelogsub(v): v.changelogsub = not v.changelogsub g.db.add(v) @@ -463,7 +459,6 @@ def changelogsub(v): @app.post("/settings/namecolor") @limiter.limit("1/second") @auth_required -@validate_formkey def namecolor(v): if not v or v.oldsite: template = '' else: template = 'CHRISTMAS/' @@ -479,7 +474,6 @@ def namecolor(v): @app.post("/settings/themecolor") @limiter.limit("1/second") @auth_required -@validate_formkey def themecolor(v): if not v or v.oldsite: template = '' else: template = 'CHRISTMAS/' @@ -495,7 +489,6 @@ def themecolor(v): @app.post("/settings/gumroad") @limiter.limit("1/second") @auth_required -@validate_formkey def gumroad(v): if SITE_NAME == 'Drama': patron = 'Paypig' else: patron = 'Patron' @@ -548,7 +541,6 @@ def gumroad(v): @app.post("/settings/titlecolor") @limiter.limit("1/second") @auth_required -@validate_formkey def titlecolor(v): if not v or v.oldsite: template = '' else: template = 'CHRISTMAS/' @@ -564,7 +556,6 @@ def titlecolor(v): @app.post("/settings/verifiedcolor") @limiter.limit("1/second") @auth_required -@validate_formkey def verifiedcolor(v): if not v or v.oldsite: template = '' else: template = 'CHRISTMAS/' @@ -580,7 +571,6 @@ def verifiedcolor(v): @app.post("/settings/security") @limiter.limit("1/second") @auth_required -@validate_formkey def settings_security_post(v): if request.values.get("new_password"): if request.values.get("new_password") != request.values.get("cnf_password"): @@ -664,7 +654,6 @@ def settings_security_post(v): @app.post("/settings/log_out_all_others") @limiter.limit("1/second") @auth_required -@validate_formkey def settings_log_out_others(v): submitted_password = request.values.get("password", "").strip() @@ -690,7 +679,6 @@ def settings_log_out_others(v): @app.post("/settings/images/profile") @limiter.limit("1/second") @auth_required -@validate_formkey def settings_images_profile(v): if v and v.patron: if request.content_length > 8 * 1024 * 1024: return {"error":"Max file size is 8 MB."}, 413 @@ -728,7 +716,6 @@ def settings_images_profile(v): @app.post("/settings/images/banner") @limiter.limit("1/second") @auth_required -@validate_formkey def settings_images_banner(v): if v and v.patron: if request.content_length > 8 * 1024 * 1024: return {"error":"Max file size is 8 MB."}, 413 @@ -756,7 +743,6 @@ def settings_images_banner(v): @app.post("/settings/delete/profile") @limiter.limit("1/second") @auth_required -@validate_formkey def settings_delete_profile(v): if v.profileurl or v.highres: @@ -772,7 +758,6 @@ def settings_delete_profile(v): @app.post("/settings/delete/banner") @limiter.limit("1/second") @auth_required -@validate_formkey def settings_delete_banner(v): if v.bannerurl: @@ -804,7 +789,6 @@ def settings_css_get(v): @app.post("/settings/css") @limiter.limit("1/second") @auth_required -@validate_formkey def settings_css(v): if v.agendaposter: return {"error": "Agendapostered users can't edit css!"} @@ -829,7 +813,6 @@ def settings_profilecss_get(v): @app.post("/settings/profilecss") @limiter.limit("1/second") @auth_required -@validate_formkey def settings_profilecss(v): if v.truecoins < 1000 and not v.patron: return f"You must have +1000 {COINS_NAME} or be a paypig to set profile css." profilecss = request.values.get("profilecss").strip().replace('\\', '').strip()[:4000] @@ -844,7 +827,6 @@ def settings_profilecss(v): @app.post("/settings/block") @limiter.limit("1/second") @auth_required -@validate_formkey def settings_block_user(v): user = get_user(request.values.get("username"), graceful=True) @@ -879,7 +861,6 @@ def settings_block_user(v): @app.post("/settings/unblock") @limiter.limit("1/second") @auth_required -@validate_formkey def settings_unblock_user(v): user = get_user(request.values.get("username")) @@ -911,7 +892,6 @@ def settings_apps(v): @app.post("/settings/remove_discord") @limiter.limit("1/second") @auth_required -@validate_formkey def settings_remove_discord(v): remove_user(v) @@ -934,7 +914,6 @@ def settings_content_get(v): @app.post("/settings/name_change") @limiter.limit("1/second") @is_not_permabanned -@validate_formkey def settings_name_change(v): new_name=request.values.get("name").strip() @@ -985,7 +964,6 @@ def settings_name_change(v): @app.post("/settings/song_change") @limiter.limit("5/day;1/second") @auth_required -@validate_formkey def settings_song_change(v): song=request.values.get("song").strip() @@ -1074,7 +1052,6 @@ def settings_song_change(v): @app.post("/settings/title_change") @limiter.limit("1/second") @auth_required -@validate_formkey def settings_title_change(v): if not v or v.oldsite: template = '' else: template = 'CHRISTMAS/' diff --git a/files/routes/static.py b/files/routes/static.py index d73909910..4fd48b632 100644 --- a/files/routes/static.py +++ b/files/routes/static.py @@ -269,7 +269,6 @@ def contact(v): @app.post("/send_admin") @limiter.limit("1/second") @auth_required -@validate_formkey def submit_contact(v): message = f'This message has been sent automatically to all admins via [/contact](/contact), user email is "{v.email}"\n\nMessage:\n\n' + request.values.get("message", "") send_admin(v.id, message) diff --git a/files/routes/users.py b/files/routes/users.py index 19a5a377b..56ed9c213 100644 --- a/files/routes/users.py +++ b/files/routes/users.py @@ -124,7 +124,6 @@ def downvoting(v, username): @app.post("/pay_rent") @limiter.limit("1/second") @auth_required -@validate_formkey def pay_rent(v): if v.coins < 500: return {"error":"You must have more than 500 coins."} v.coins -= 500 @@ -141,7 +140,6 @@ def pay_rent(v): @app.post("/steal") @limiter.limit("1/second") @auth_required -@validate_formkey def steal(v): if int(time.time()) - v.created_utc < 604800: return {"error":"You must have an account older than 1 week in order to attempt stealing."} @@ -200,7 +198,6 @@ def thiefs(v): @app.post("/@/suicide") @limiter.limit("1/second") @auth_required -@validate_formkey def suicide(v, username): t = int(time.time()) if v.admin_level == 0 and t - v.suicide_utc < 86400: return {"message": "You're on 1-day cooldown!"} @@ -223,7 +220,6 @@ def get_coins(v, username): @app.post("/@/transfer_coins") @limiter.limit("1/second") @is_not_permabanned -@validate_formkey def transfer_coins(v, username): receiver = g.db.query(User).filter_by(username=username).one_or_none() @@ -261,7 +257,6 @@ def transfer_coins(v, username): @app.post("/@/transfer_bux") @limiter.limit("1/second") @is_not_permabanned -@validate_formkey def transfer_bux(v, username): receiver = g.db.query(User).filter_by(username=username).one_or_none() @@ -367,7 +362,6 @@ def song(song): @app.post("/subscribe/") @limiter.limit("1/second") @auth_required -@validate_formkey def subscribe(v, post_id): new_sub = Subscription(user_id=v.id, submission_id=post_id) g.db.add(new_sub) @@ -377,7 +371,6 @@ def subscribe(v, post_id): @app.post("/unsubscribe/") @limiter.limit("1/second") @auth_required -@validate_formkey def unsubscribe(v, post_id): sub=g.db.query(Subscription).filter_by(user_id=v.id, submission_id=post_id).one_or_none() if sub: @@ -394,7 +387,6 @@ def reportbugs(v): @limiter.limit("1/second") @limiter.limit("10/hour") @is_not_permabanned -@validate_formkey def message2(v, username): user = get_user(username, v=v) @@ -464,7 +456,6 @@ def message2(v, username): @limiter.limit("1/second") @limiter.limit("6/minute") @auth_required -@validate_formkey def messagereply(v): message = request.values.get("body", "").strip()[:1000].strip() @@ -832,7 +823,6 @@ def u_username_info(username, v=None): @app.post("/follow/") @limiter.limit("1/second") @auth_required -@validate_formkey def follow_user(username, v): target = get_user(username) @@ -857,7 +847,6 @@ def follow_user(username, v): @app.post("/unfollow/") @limiter.limit("1/second") @auth_required -@validate_formkey def unfollow_user(username, v): target = get_user(username) @@ -882,7 +871,6 @@ def unfollow_user(username, v): @app.post("/remove_follow/") @limiter.limit("1/second") @auth_required -@validate_formkey def remove_follow(username, v): target = get_user(username) @@ -977,7 +965,6 @@ def saved_comments(v, username): @app.post("/fp/") @auth_required -@validate_formkey def fp(v, fp): if v.username != fp: v.fp = fp diff --git a/files/routes/votes.py b/files/routes/votes.py index 6c0fdb92a..c3301d74d 100644 --- a/files/routes/votes.py +++ b/files/routes/votes.py @@ -73,7 +73,6 @@ def admin_vote_info_get(v): @app.post("/vote/post//") @limiter.limit("5/second;60/minute;600/hour") @auth_required -@validate_formkey def api_vote_post(post_id, new, v): if new == "-1" and environ.get('DISABLE_DOWNVOTES') == '1': return {"error": "forbidden."}, 403 @@ -132,7 +131,6 @@ def api_vote_post(post_id, new, v): @app.post("/vote/comment//") @limiter.limit("5/second;60/minute;600/hour") @auth_required -@validate_formkey def api_vote_comment(comment_id, new, v): if new == "-1" and environ.get('DISABLE_DOWNVOTES') == '1': return {"error": "forbidden."}, 403 @@ -199,7 +197,6 @@ def api_vote_comment(comment_id, new, v): @app.post("/vote/poll/") @auth_required -@validate_formkey def api_vote_poll(comment_id, v): vote = request.values.get("vote") @@ -235,7 +232,6 @@ def api_vote_poll(comment_id, v): @app.post("/bet/") @limiter.limit("1/second") @auth_required -@validate_formkey def bet(comment_id, v): if v.coins < 200: return {"error": "You don't have 200 coins!"} diff --git a/files/templates/admin/admin_home.html b/files/templates/admin/admin_home.html index b20b48448..0c1f338a2 100644 --- a/files/templates/admin/admin_home.html +++ b/files/templates/admin/admin_home.html @@ -58,9 +58,14 @@ {% if v.admin_level > 2 %}
- - + +
{% endif %} +
+ + +
+ {% endblock %} \ No newline at end of file diff --git a/files/templates/authforms.html b/files/templates/authforms.html index 9901cd329..9d0d5c60a 100644 --- a/files/templates/authforms.html +++ b/files/templates/authforms.html @@ -15,7 +15,7 @@ {% if v %} - + {% if v.agendaposter %} - + {% endif %} diff --git a/files/templates/default.html b/files/templates/default.html index ce07af807..6a1311b18 100644 --- a/files/templates/default.html +++ b/files/templates/default.html @@ -7,7 +7,7 @@ {% if v %} - + {% if v.agendaposter %} - + {% endif %} diff --git a/files/templates/log.html b/files/templates/log.html index ee27aa2df..1a2720ef3 100644 --- a/files/templates/log.html +++ b/files/templates/log.html @@ -6,7 +6,7 @@ {% block content %} {% if v %} - + {% if v.agendaposter %} - + {% endif %}
diff --git a/files/templates/login.html b/files/templates/login.html index 283a69bf2..ed702b16d 100644 --- a/files/templates/login.html +++ b/files/templates/login.html @@ -18,7 +18,7 @@ {% endblock %} - + diff --git a/files/templates/login_2fa.html b/files/templates/login_2fa.html index 51793f90c..40c9bb7d8 100644 --- a/files/templates/login_2fa.html +++ b/files/templates/login_2fa.html @@ -14,7 +14,7 @@ 2-Step Login - {{'SITE_NAME' | app_config}} - + diff --git a/files/templates/settings.html b/files/templates/settings.html index d7e5ebb27..84996eede 100644 --- a/files/templates/settings.html +++ b/files/templates/settings.html @@ -34,7 +34,7 @@ - + {% if v.agendaposter %} - + {% else %} - + {% endif %} diff --git a/files/templates/sign_up.html b/files/templates/sign_up.html index 11c408284..85a929dd5 100644 --- a/files/templates/sign_up.html +++ b/files/templates/sign_up.html @@ -31,7 +31,7 @@ {% if ref_user %}{{ref_user.username}} invites you to {{'SITE_NAME' | app_config}}{% else %}Sign up - {{'SITE_NAME' | app_config}}{% endif %} - + diff --git a/files/templates/sign_up_failed_ref.html b/files/templates/sign_up_failed_ref.html index cb0d4b722..374f1e4d2 100644 --- a/files/templates/sign_up_failed_ref.html +++ b/files/templates/sign_up_failed_ref.html @@ -32,7 +32,7 @@ {% if ref_user %}{{ref_user.username}} invites you to {{'SITE_NAME' | app_config}}{% else %}{{'SITE_NAME' | app_config}}{% endif %} - + diff --git a/files/templates/submit.html b/files/templates/submit.html index 52c5950f9..b2c5bd988 100644 --- a/files/templates/submit.html +++ b/files/templates/submit.html @@ -26,7 +26,7 @@ {% block stylesheets %} {% if v %} - + {% if v.agendaposter %} - + {% endif %} {% endblock %}