fish

2022-03-02 06:24:36 +02:00 · 2022-03-02 06:24:36 +02:00 · e62523c2d6
parent ef6a744f14
commit e62523c2d6
9 changed files with 75 additions and 49 deletions
--- a/files/helpers/const.py
+++ b/files/helpers/const.py
@ -694,6 +694,8 @@ emoji_regex4 = re.compile('(?<!"):([!A-Za-z0-9]{1,30}?):', flags=re.A)

 snappy_url_regex = re.compile('<a href=\"(https?:\/\/[a-z]{1,20}\.[^\"]+)\" rel=\"nofollow noopener noreferrer\" target=\"_blank\">(.*?)<\/a>', flags=re.A)

+email_regex = re.compile('([A-Za-z0-9]+[.-_])*[A-Za-z0-9]+@[A-Za-z0-9-]+(\.[A-Z|a-z]{2,})+', flags=re.A)
+
 slur_regex = re.compile(rf"((?<=\s|>)|^)({single_words})((?=[\s<,.$]|s[\s<,.$]))", flags=re.I|re.A)
 slur_regex_upper = re.compile(rf"((?<=\s|>)|^)({single_words.upper()})((?=[\s<,.$]|S[\s<,.$]))", flags=re.A)
 torture_regex = re.compile('(^|\s)(i|me) ', flags=re.I|re.A)
--- a/files/mail/init.py
+++ b/files/mail/init.py
@ -54,6 +54,11 @@ def api_verify_email(v):
 def activate(v):

 	email = request.values.get("email", "").strip().lower()
+
+	if not email_regex.fullmatch(email):
+		return render_template("message.html", v=v, title="Invalid email.", error="Invalid email."), 400
+
+
 	id = request.values.get("id", "").strip()
 	timestamp = int(request.values.get("time", "0"))
 	token = request.values.get("token", "").strip()
--- a/files/routes/login.py
+++ b/files/routes/login.py
@ -273,7 +273,10 @@ def sign_up_post(v):

 	email = request.values.get("email").strip().lower()

-	if not email: email = None
+	if email:
+		if not email_regex.fullmatch(email):
+			return signup_error("Invalid email.")
+	else: email = None

 	existing_account = get_user(username, graceful=True)
 	if existing_account and existing_account.reserved:
@ -363,7 +366,13 @@ def get_forgot():
 def post_forgot():

 	username = request.values.get("username").lstrip('@')
-	email = request.values.get("email",'').strip().lower().replace("_","\_")
+	email = request.values.get("email",'').strip().lower()
+
+	if not email_regex.fullmatch(email):
+		return render_template("forgot_password.html", error="Invalid email.")
+
+
+	email = email.replace("_","\_")

 	user = g.db.query(User).filter(
 		User.username.ilike(username),
@ -486,6 +495,9 @@ def request_2fa_disable():

 	email=request.values.get("email").strip().lower()

+	if not email_regex.fullmatch(email):
+		return render_template("message.html", title="Invalid email.", error="Invalid email.")
+
 	password =request.values.get("password")
 	if not user.verifyPass(password):
 		return render_template("message.html",
--- a/files/routes/subs.py
+++ b/files/routes/subs.py
@ -251,54 +251,57 @@ def remove_mod(v, sub):
 	
 	return redirect(f'/s/{sub}/mods')

-if SITE_NAME == 'PCM':
-	@app.get("/create_sub")
-	@is_not_permabanned
-	def create_sub(v):
-		if v.id == MENTION_ID: cost = 0
-		else:
+@app.get("/create_sub")
+@is_not_permabanned
+def create_sub(v):
+	if SITE_NAME == 'Drama' and v.id not in (AEVANN_ID, CARP_ID): abort(403)
+	
+	if v.id == MENTION_ID: cost = 0
+	else:
+		num = v.subs_created + 1
+		for a in v.alts:
+			num += a.subs_created
+		cost = num * 100
+	
+	return render_template("sub/create_sub.html", v=v, cost=cost)
+
+
+@app.post("/create_sub")
+@is_not_permabanned
+def create_sub2(v):
+	if SITE_NAME == 'Drama' and v.id not in (AEVANN_ID, CARP_ID): abort(403)
+
+	name = request.values.get('name')
+	if not name: abort(400)
+	name = name.strip().lower()
+
+	if not valid_sub_regex.fullmatch(name):
+		return render_template("sub/create_sub.html", v=v, error="Sub name not allowed."), 400
+
+	sub = g.db.query(Sub).filter_by(name=name).one_or_none()
+	if not sub:
+		if v.id != MENTION_ID:
 			num = v.subs_created + 1
 			for a in v.alts:
 				num += a.subs_created
 			cost = num * 100
-		
-		return render_template("sub/create_sub.html", v=v, cost=cost)

+			if v.coins < cost:
+				return render_template("sub/create_sub.html", v=v, error="You don't have enough coins!"), 403

-	@app.post("/create_sub")
-	@is_not_permabanned
-	def create_sub2(v):
-		name = request.values.get('name')
-		if not name: abort(400)
-		name = name.strip().lower()
+			v.coins -= cost

-		if not valid_sub_regex.fullmatch(name):
-			return render_template("sub/create_sub.html", v=v, error="Sub name not allowed."), 400
+		v.subs_created += 1
+		g.db.add(v)

-		sub = g.db.query(Sub).filter_by(name=name).one_or_none()
-		if not sub:
-			if v.id != MENTION_ID:
-				num = v.subs_created + 1
-				for a in v.alts:
-					num += a.subs_created
-				cost = num * 100
+		sub = Sub(name=name)
+		g.db.add(sub)
+		g.db.flush()
+		mod = Mod(user_id=v.id, sub=sub.name)
+		g.db.add(mod)
+		g.db.commit()

-				if v.coins < cost:
-					return render_template("sub/create_sub.html", v=v, error="You don't have enough coins!"), 403
-
-				v.coins -= cost
-
-			v.subs_created += 1
-			g.db.add(v)
-
-			sub = Sub(name=name)
-			g.db.add(sub)
-			g.db.flush()
-			mod = Mod(user_id=v.id, sub=sub.name)
-			g.db.add(mod)
-			g.db.commit()
-
-		return redirect(f'/s/{sub.name}')
+	return redirect(f'/s/{sub.name}')

@app.post("/kick/<pid>")
@is_not_permabanned
--- a/files/templates/forgot_password.html
+++ b/files/templates/forgot_password.html
@ -19,8 +19,7 @@

 																<label for="email" class="mt-3">Email</label>

-																<input autocomplete="off" class="form-control" id="password" aria-describedby="passwordHelp"
-																		type="email" name="email" required="">
+																<input type="email" pattern='([A-Za-z0-9]+[.-_])*[A-Za-z0-9]+@[A-Za-z0-9-]+(\.[A-Z|a-z]{2,})+' autocomplete="off" class="form-control" id="password" aria-describedby="passwordHelp" name="email" required>

 																<input autocomplete="off" class="btn btn-primary login w-100 mt-3" type="submit" value="Send recovery link">

--- a/files/templates/lost_2fa.html
+++ b/files/templates/lost_2fa.html
@ -24,8 +24,7 @@

 																<label for="email" class="mt-3">Email</label>

-																<input autocomplete="off" class="form-control" id="password"
-																		type="text" name="email" required=""{% if v %} value="{{v.email}}" disabled{% endif %}>
+																<input autocomplete="off" class="form-control" id="password" type="email" pattern='([A-Za-z0-9]+[.-_])*[A-Za-z0-9]+@[A-Za-z0-9-]+(\.[A-Z|a-z]{2,})+' name="email" required=""{% if v %} value="{{v.email}}" disabled{% endif %}>

 																<input autocomplete="off" class="btn btn-primary login w-100 mt-3" type="submit" value="Send recovery link">

--- a/files/templates/settings_security.html
+++ b/files/templates/settings_security.html
@ -25,7 +25,7 @@
 						<label for="new-email" class="w-lg-25">Email</label>
 						<div class="w-lg-100">
 							<input autocomplete="off" class="form-control" id="new_email" {% if v.email %}placeholder="{{v.email}}"{% else %}placeholder="Your email"{% endif %}
-							aria-describedby="new_email" type="email" name="new_email" required>
+							aria-describedby="new_email" type="email" pattern='([A-Za-z0-9]+[.-_])*[A-Za-z0-9]+@[A-Za-z0-9-]+(\.[A-Z|a-z]{2,})+' name="new_email" required>
 							{% if v.email and not v.is_activated %}
 								<div class="text-danger text-small-extra mt-1" id="email-verify-text">Email not verified. You will not be able to recover your account with this email until you verify it. <u><a role="button" onclick="post_toast(this,'/verify_email');emailVerifyText()"class="text-danger">Verify now.</a></u></div>
 							{% elif not v.email %}
--- a/files/templates/sidebar_Drama.html
+++ b/files/templates/sidebar_Drama.html
@ -13,7 +13,9 @@
 		{% if sub.sidebar_html %}
 			<div class="mb-4">{{sub.sidebar_html|safe}}</div>
 		{% endif %}
-		<!-- <a class="btn btn-primary btn-block" href="/create_sub">CREATE SUB</a> -->
+		{% if v.id in (AEVANN_ID,CARP_ID) %}
+			<a class="btn btn-primary btn-block" href="/create_sub">CREATE SUB</a>
+		{% endif %}
 		{% if v and v.mods(sub.name) %}
 		  <a class="btn btn-primary btn-block" href="/s/{{sub.name}}/settings">SUB SETTINGS</a>
 		{% endif %}
@ -25,7 +27,9 @@
 		<a class="btn btn-primary btn-block" href="/s/{{sub.name}}/exilees">EXILEES</a>
 		<a class="btn btn-primary btn-block" href="/s/{{sub.name}}/blockers">BLOCKERS</a>
 	{% else %}
-		<!-- <a class="btn btn-primary btn-block" href="/create_sub">CREATE SUB</a> -->
+		{% if v.id in (AEVANN_ID,CARP_ID) %}
+			<a class="btn btn-primary btn-block" href="/create_sub">CREATE SUB</a>
+		{% endif %}
 		<a class="btn btn-primary btn-block" href="/post/16583">EMOJI MEGATHREAD</a>
 		<a class="btn btn-primary btn-block" href="/post/18459">BUGS/SUGGESTIONS MEGATHREAD</a>
 		<a class="btn btn-primary btn-block" href="/post/32341">SIDEBAR ARTWORK MEGATHREAD</a>
--- a/files/templates/sign_up.html
+++ b/files/templates/sign_up.html
@ -71,6 +71,8 @@

 											<form action="/signup" method="post" class="mt-md-3" id="signup">

+												<input autocomplete="false" name="hidden" type="text" style="display:none;">
+
 														{% if error %}<span class="text-danger">{{error}}</span><br>{% endif %}

 														<input autocomplete="off" type="hidden" name="formkey" value="{{formkey}}">
@ -91,7 +93,7 @@
 														<small class="d-inline-block text-muted ml-1">(optional)</small>

 														<input autocomplete="off" class="form-control" id="email-register"
-														aria-describedby="emailHelpRegister" type="text" name="email">
+														aria-describedby="emailHelpRegister" type="email" pattern='([A-Za-z0-9]+[.-_])*[A-Za-z0-9]+@[A-Za-z0-9-]+(\.[A-Z|a-z]{2,})+' name="email">

 														<label for="password-register" class="mt-3">Password</label>