modmail: constantify user ID and fix bug where users can bypass modmail route checks

the random c.sentto == 2 magic numbers in the code is... pretty unmaintainable and unless you were aware of who "2" was, it's hard to know what's going on. in addition, we force modmail to go through the modmail path instead of letting users bypass validation checks.
2023-02-16 19:26:58 -06:00 · 2023-02-16 19:26:58 -06:00 · 1574c46d0a
commit 1574c46d0a
parent 81cfc09fed
4 changed files with 10 additions and 6 deletions
--- a/files/helpers/const.py
+++ b/files/helpers/const.py
@ -18,6 +18,7 @@ CC_TITLE = CC.title()

 NOTIFICATIONS_ID = 1
 AUTOJANNY_ID = 2
+MODMAIL_ID = 2
 SNAPPY_ID = 3
 LONGPOSTBOT_ID = 4
 ZOZBOT_ID = 5
--- a/files/helpers/jinja2.py
+++ b/files/helpers/jinja2.py
@ -75,6 +75,7 @@ def inject_constants():
 		"SITE_FULL":SITE_FULL,
 		"AUTOJANNY_ID":AUTOJANNY_ID,
 		"NOTIFICATIONS_ID":NOTIFICATIONS_ID,
+		"MODMAIL_ID":MODMAIL_ID,
 		"PUSHER_ID":PUSHER_ID,
 		"CC":CC,
 		"CC_TITLE":CC_TITLE,
--- a/files/routes/users.py
+++ b/files/routes/users.py
@ -528,6 +528,10 @@ def message2(v, username):
 			"contact modmail if you think this decision was incorrect.")

 	user = get_user(username, v=v, include_blocks=True)
+
+	if user.id == MODMAIL_ID:
+		abort(403, "Please use modmail to contact the admins")
+
 	if hasattr(user, 'is_blocking') and user.is_blocking: abort(403, "You're blocking this user.")

 	if v.admin_level <= 1 and hasattr(user, 'is_blocked') and user.is_blocked:
@ -536,7 +540,6 @@ def message2(v, username):
 	message = request.values.get("message", "").strip()[:10000].strip()

 	if not message: abort(400, "Message is empty!")
-
 	body_html = sanitize(message)

 	existing = g.db.query(Comment.id).filter(Comment.author_id == v.id,
@ -553,7 +556,6 @@ def message2(v, username):
 						  body_html=body_html
 						  )
 	g.db.add(c)
-
 	g.db.flush()

 	c.top_comment_id = c.id
@ -588,12 +590,12 @@ def messagereply(v):
 	parent = get_comment(id, v=v)
 	user_id = parent.author.id

-	if parent.sentto == 2: user_id = None
+	if parent.sentto == MODMAIL_ID: user_id = None
 	elif v.id == user_id: user_id = parent.sentto

 	body_html = sanitize(message)

-	if parent.sentto == 2 and request.files.get("file") and request.headers.get("cf-ipcountry") != "T1":
+	if parent.sentto == MODMAIL_ID and request.files.get("file") and request.headers.get("cf-ipcountry") != "T1":
 		file=request.files["file"]
 		if file.content_type.startswith('image/'):
 			name = f'/images/{time.time()}'.replace('.','') + '.webp'
--- a/files/templates/comments.html
+++ b/files/templates/comments.html
@ -141,7 +141,7 @@
 	{% elif c.author_id==NOTIFICATIONS_ID or c.author_id==AUTOJANNY_ID %}
 	<span class="font-weight-bold">Notification</span>
 	{% else %}
-		{% if c.sentto == 2 %}
+		{% if c.sentto == MODMAIL_ID %}
 			<span class="font-weight-bold">Sent to admins</span>
 		{% else %}
 			<span class="font-weight-bold">Sent to @{{c.senttouser.username}}</span>
@ -556,7 +556,7 @@
 						<textarea required autocomplete="off" minlength="1" maxlength="10000" name="body" form="reply-to-t3_{{c.id}}" data-id="{{c.id}}" class="comment-box form-control rounded" id="reply-form-body-{{c.id}}" aria-label="With textarea" rows="3" oninput="markdown('reply-form-body-{{c.id}}', 'message-reply-{{c.id}}')"></textarea> 
 						<div class="comment-format" id="comment-format-bar-{{c.id}}"> 

-							{% if c.sentto == 2 %}
+							{% if c.sentto == MODMAIL_ID %}
 								<label class="btn btn-secondary m-0 mt-3" for="file-upload">
 									<div id="filename"><i class="far fa-image"></i></div>
 									<input autocomplete="off" id="file-upload" type="file" name="file" accept="image/*, video/*" {% if request.headers.get('cf-ipcountry')=="T1" %}disabled{% endif %} onchange="changename('filename','file-upload')" hidden>