From f2a5c8f5d49508a74eaa589da45cc49ad160eeac Mon Sep 17 00:00:00 2001 From: Aevann1 Date: Fri, 14 Oct 2022 19:11:39 +0200 Subject: [PATCH] add whitelist of badge_granting on WPD, and disallow removing award badges --- files/routes/admin.py | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/files/routes/admin.py b/files/routes/admin.py index 965e70d11..878f62c9d 100644 --- a/files/routes/admin.py +++ b/files/routes/admin.py @@ -530,6 +530,9 @@ def badge_grant_post(v): try: badge_id = int(request.values.get("badge_id")) except: abort(400) + if SITE == 'watchpeopledie.co' and badge_id not in {99,101}: + abort(403) + if badge_id in {16,17,21,22,23,24,25,26,27,94,95,96,97,98,109,137,67,68,83,84,87,90,140} and v.id != AEVANN_ID and SITE != 'pcmemes.net': abort(403) @@ -592,6 +595,9 @@ def badge_remove_post(v): try: badge_id = int(request.values.get("badge_id")) except: abort(400) + if badge_id in {67,68,83,84,87,90,140} and v.id != AEVANN_ID and SITE != 'pcmemes.net': + abort(403) + badge = user.has_badge(badge_id) if not badge: return render_template("admin/badge_remove.html", v=v, badge_types=badges, error="User doesn't have that badge.")