The listings of users affected by jannied states are long. To make
them more useful, sort by recent user activity (when v is allowed to
view last_active) to know which accounts are still in use.
Previous behavior on submission_listing was clicking a thumbnail would
toggle an inline video player. This was retained for clicking the
thumbnail off the `.video-play` element; however, directly clicking
the `.video-play` did not have the `toggleVideo` onclick event attached
and would navigate the browser to the video file directly.
namespaces are very particular and the https:// version is not the valid
namespace for this XML document
note: this doesn't fix it in the watermark code. that will be fixed by the watermark PR. please don't trample over it ty <3
Co-authored-by: justcool393 <justcool393@gmail.com>
Reviewed-on: #56
Co-authored-by: justcool393 <justcool393@noreply.fsdfsd.net>
Co-committed-by: justcool393 <justcool393@noreply.fsdfsd.net>
through some reason or another, people are somehow getting cookies that aren't prepended with a dot.
this is a problem because both sessions at, as best as I can tell, mix so it tries to read from a different cookie than we write to. this essentially "freezes" the session in place. users are unable to login, logout, signup, toggle poor mode, toggle NSFW, etc.
~~this attempts to delete bad session cookies (i.e. cookies with a domain that don't start with a dot).~~
~~we don't do this on "dotless" domains (and by extension localhost) because browser support for setting cookies on FQDNs that only have one dot has tenuous support among browsers anyway).~~
~~this *may* log some people out, but... their days of being able to do stuff on the site were numbered anyway.~~
**edit: as amazing as this thought was, browsers just wipe the entire cookies completely and there's no way to specifically target dotless cookies. for an issue that affects a few users, better to just tell them to clear their cookies. if *this* doesn't work, delete service-worker.js and be done with the whole service worker crap. forever. permanently. this PR also includes some QOL improvements.**
Co-authored-by: justcool393 <justcool393@gmail.com>
Reviewed-on: #50
Co-authored-by: justcool393 <justcool393@noreply.fsdfsd.net>
Co-committed-by: justcool393 <justcool393@noreply.fsdfsd.net>
- /h/masterbaiters: 1 TS - for gayops
- /h/countryclub: 1000 TS - for anything requiring secrecy and doesnt need critical mass - have to make it a rule that u cant post gayops in /h/countryclub
- /h/chudrama: 5000 TS - for chad+stud posts
EDIT: i removed the /h/masterbaiters gate, but u can bring it back if u want
Co-authored-by: Aevann1 <randomname42029@gmail.com>
Co-authored-by: Snakes <duolsm@outlook.com>
Reviewed-on: #41
Co-authored-by: Aevann <aevann@noreply.fsdfsd.net>
Co-committed-by: Aevann <aevann@noreply.fsdfsd.net>
The 500 fixed in 71738b05fc revealed that attempting to access g.v at
all during an error handler can potentially cause its own error.
In particular, html_head L111 accessing v.themecolor errored because
we roll back the database session during 500 handling. There's no good
solution other than specifically not passing v to 500 error pages.
However, in the interest of failing fast and ensuring error handlers
always complete, we instead go back to the previous behavior of not
treating users as logged in for error pages.
also get rid of megathread logic
do the needful and do
```sql
UPDATE submissions SET new=true WHERE title LIKE 'Thread' OR title ILIKE 'megathread';
```
or whatever the proper equivalent is
Co-authored-by: justcool393 <justcool393@gmail.com>
Reviewed-on: #34
Co-authored-by: justcool393 <justcool393@noreply.fsdfsd.net>
Co-committed-by: justcool393 <justcool393@noreply.fsdfsd.net>
Addressing the downvote spamming on WPD. Correctly shows jannies which
users are SB'd, shows all voters (sans SB icons) to SB'd users, and
only shows real voters to normies. SB'd users votes are still tracked
so the icons look to them like they're doing something.
jinja more like i can't think of anything witty
Co-authored-by: justcool393 <justcool393@gmail.com>
Reviewed-on: #31
Co-authored-by: justcool393 <justcool393@noreply.fsdfsd.net>
Co-committed-by: justcool393 <justcool393@noreply.fsdfsd.net>
the `timeout` parameter only applies to seconds per *byte* received (and time to first
byte), not the entire request
this means an attacker could theoretically send a very... slow...
stream... of... bytes... and... crash... the... worker... when... the...
timeout... is... reached...
Somewhat speculative, but the change in f62a9769fd, while fixing
certain errors where logged-out users sometimes didn't have sessions
come calc_users, also opened the possibility of certain request
sequences that wouldn't give a user a session.
In the interest of conservatism, we create a session if not exists
in both the new location in calc_users and the previous spot in
before_request.
Consider the case of the current /notifications filter condition:
WHERE ... NOT ((comments.sentto = 2) AND (users.is_muted))
SELECT 1 WHERE NOT ((null = 2) AND (true)); ⇒ 0 rows
SELECT 1 WHERE NOT ((1 = 2) AND (true)); ⇒ 1 row
SELECT 1 WHERE NOT ((2 = 2) AND (true)); ⇒ 0 rows
We want the first expression, where comments.sentto = null, to evaluate
to false, not to null, so it negates to true. Behavior as written is:
SELECT 1 WHERE NOT ((null = 2) AND (true)); →
SELECT 1 WHERE NOT (null AND true); →
SELECT 1 WHERE NOT null; →
SELECT 1 WHERE null;
Which guarantees a null return set. If we check first for non-nullity:
SELECT 1 WHERE NOT ((null IS NOT null) AND (null = 2) AND (true)); ⇒ 1
SELECT 1 WHERE NOT ((1 IS NOT null) AND (1 = 2) AND (true)); ⇒ 1
SELECT 1 WHERE NOT ((2 IS NOT null) AND (2 = 2) AND (true)); ⇒ 0
* backend support for roulette betting on 0 and 00
* casino: roulette: add 0 and 00 frontend
* add spacer
* roulette: fix the thing
* don't payout where needful not to
* sanity check
* roulette: validate requests properly
* roulette actions from API make more sane
* user: move can_see_to user class
* stub out can_see in comments and posts
* make can_see a classmethod so it's usable for loggedoutfriends
* test
* kill me now
* threelargeclassesmating
* dfdfdfdfdfdfd
* sdsdsdsd
* classmethod should be above i think
* Revert "classmethod should be above i think"
This reverts commit df1772eb9e7e71bf7b89123f6277b648de2b1af3.
* Revert "Revert "classmethod should be above i think""
This reverts commit 32883406c2e2916fc6c436611376a1817c16cb84.
* test rewritnig thing
* go home python
* what the fuck python
* fix AttributeError
* sdsdsdsdsdsd
* lazy and user and stuff
* test
* Revert "test"
This reverts commit 45af5bb3d45f3ec17126ab117d494ec978062a38.
* merge
* newline
* test
* test 2
* Revert "test"
This reverts commit 196dae677e2ee8cd29261c93dcb747087cb399b6.
* revert test
* fix merge error
* fix import error ciruclation i think
* sdsd
* add type annotations back
* deleted_utc
* isinstance
* user_can_see in jinja and remove unnecessary things
* a bunch of stuff
remove can_see from comment and post
expand can_see to messages
* antiannoyingamountsofwhitespace
* fix for chudrama
* improve prev
* move Base definition to files.classes.__init__.py
* fix ImportError
* move userpage listing to users.py
* don't import the app from classes
* consts: set default values to avoid crashes
consts: warn if the secret key is the default config value
* card view: sneed (user db schema)
* cloudflare: use DEFAULT_CONFIG_VALUE
* const: set default values
* decouple media.py from __main__
* pass database to avoid imports
* import cleanup and import request not in const, but in the requests mega import
* move asset_submissions site check to __init__
* asset submissions feature flag
* flag
* g.is_tor
* don't import request where it's not needed
* i think this is fine
* mail: move to own routes and helper
* wrappers
* required wrappers move
* unfuck wrappers a bit
* move snappy quotes and marseys to stateful consts
* marsify
* :pepodrool:
* fix missing import
* import cache
* ...and settings.py
* and static.py
* static needs cache
* route
* lmao all of the jinja shit was in feeds.py amazing
* classes should only import what they need from flask
* import Response
* hdjbjdhbhjf
* ...
* dfdfdfdf
* make get a non-required import
* isort imports (mostly)
* but actually
* configs
* reload config on import
* fgfgfgfg
* config
* config
* initialize snappy and test
* cookie of doom debug
* edfjnkf
* xikscdfd
* debug config
* set session cookie domain, i think this fixes the can't login bug
* sdfbgnhvfdsghbnjfbdvvfghnn
* hrsfxgf
* dump the entire config on a request
* kyskyskyskyskyskyskyskyskys
* duifhdskfjdfd
* dfdfdfdfdfdfdfdfdfdfdfdf
* dfdfdfdf
* imoprt all of the consts beacuse fuck it
* ðŸ˜
* dfdfdfdfdfdfsdasdf
* print the entire session
* rffdfdfjkfksj
* fgbhffh
* not the secret keys
* minor bug fixes
* be helpful in the warning
* gfgfgfg
* move warning lower
* isort main imports (i hope this doesn't fuck something up)
* test
* session cookie domain redux
* dfdfdfd
* try only importing Flask
* formkeys fix
* y
* :pepodrool:
* route helper
* remove before flight
* dfdfdfdfdf
* isort classes
* isort helpers
* move check_for_alts to routehelpers and also sort imports and get rid of unused ones
* that previous commit but actkally
* readd the cache in a dozen places they were implicitly imported
* use g.is_tor instead of request.headers. bla bla bla
* upgrade streamers to their own route file
* get rid of unused imports in __main__
* fgfgf
* don't pull in the entire ORM where we don't need it
* features
* explicit imports for the get helper
* explicit imports for the get helper redux
* testing allroutes
* remove unused import
* decouple flask from classes
* syntax fix also remember these have side fx for some reason (why?)
* move side effects out of the class
* posts
* testing on devrama
* settings
* reloading
* settingssdsdsds
* streamer features
* site settings
* testing settings on devrama
* import
* fix modlog
* remove debug stuff
* revert commit 67275b21ab6e2f2520819e84d10bfc1c746a15b6
* archiveorg to _archiveorg
* skhudkfkjfd
* fix cron for PCM
* fix bugs that snekky wants me to
* Fix call to realbody passing db, standardize kwarg
* test
* import check_for_alts from the right place
* cloudflare
* testing on devrama
* fix cron i think
* shadow properly
* tasks
* Remove print which will surely be annoying in prod.
* v and create new session
* use files.classes
* make errors import little and fix rare 500 in /allow_nsfw
* Revert "use files.classes"
This reverts commit 98c10b876cf86ce058b7fb955cf1ec0bfb9996c6.
* pass v to media functions rather than using g
* fix
* dfdfdfdfd
* cleanup, py type checking is dumb so don't use it where it causes issues
* Fix some merge bugs, add DEFAULT_RATELIMIT to main.
* Fix imports on sqlalchemy expressions.
* `from random import random` is an error.
* Fix replies db param.
* errors: fix missing import
* fix rare 500: only send to GIFT_NOTIF_ID if it exists, and send them the right text
* Fix signup formkey.
* fix 2 500s
* propagate db to submissions
* fix replies
* dfdfdfdf
* Fix verifiedcolor.
* is_manual
* can't use getters outside of an app context
* don't attempt to do gumroad on sites where it's not enabled
* don't attempt to do gumraod on sites's where it's unnecessary
* Revert "don't attempt to do gumroad on sites where it's not enabled"
This reverts commit 6f8a6331878655492dfaf1907b27f8be513c14d3.
* fix 500
* validate media type
Co-authored-by: TLSM <duolsm@outlook.com>
currently account delinking is very messy and can sometimes just not work
we do codey stuff so it's not as bad
also we create a pretty page for mops to mop up borked account links
* alts: allow proper delinking
* fix prev commit
* url fix
* fix 500
* fixes
* :pepodrool:
* flag
* :pepodrool: redux
* sdsdsdsds
* correct endpoint
* fix html page
* alts: only adjust session history if flag is set
* fix 500
* allow relinking
* fsdsds
* :pepodrool: redux
* alts: don't fail if an alt isn't history
* use postToastSwitch + some API changes
* remove unnecessary variables
* d-none
* delink accounts mod action
* fa-link-slash
* alts: add form to create alt
* remove copied and pasted template
* rounded section
* UI improvement + fix
* \n
* fix status
* admin: remove duplicate route
admin: do a permissions check on 2 pages that need it
admin: set the manual flag for manually flagged alts
* variable change
* fix 500
* alts
* add shadowban icon to alt link tool
* shadowbanned tooltip
* add user info section
* fix 500, remove unnecessary form, and add alt votes button
* trans and also link to page
* margin
* sdsdsd
* stop the count
* fix prev commit
* with ctx
* plural
* alts
* don't show shadowbanned users to those who can't see them
this is... extremely rare and won't ever be seen in production however if perms were ever rearranged in the future, this keeps permissions correct
* shadowban check in alt list
* let shadow realm enthusiasts see shadowban alts
* sdsdsds
* test
* be graceful where needed
* sdsdsdsds
* alts: don't allow adding the same account
alts: clarify wording
* rename and reorder on admin panel
* EOL
* remove frankly unnecessary check
* try with a set
* test
* Revert "try with a set"
This reverts commit 72be353fba5ffa39b37590cc5d3bf584c94ee06e.
* Revert "Revert "try with a set""
This reverts commit 81e41890a192e8b46d0463477998e905fddf56ba.
* Revert "Revert "Revert "try with a set"""
This reverts commit be51592135a3c09848f993f0154bd2ac862ae505.
* clean up test
Ultimately necessary because otherwise all bots share rate limits
with each other. The somewhat haphazard ordering of decorators bothers
me, but it's functionally required.
Approaches using request context (like reading the Authorization
header in ratelimit_user) likely produce bugs all their own.
Aevann1
justcool393
Snakes
geese_suck
Nekobit
Aevann1