skorotkiewicz/rDrama
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

sfdsfd

Browse source
This commit is contained in:
Aevann1 2021-12-09 23:21:52 +02:00
parent 3bbe195b75
commit 3aae15d985
28 changed files with 245 additions and 142 deletions
Download patch file Download diff file Expand all files Collapse all files

1
files/assets/js/changelog.js
View file

@ -2,6 +2,7 @@ function post_toast2(url, button1, button2) {
var xhr = new XMLHttpRequest(); var xhr = new XMLHttpRequest();
xhr.open("POST", url, true); xhr.open("POST", url, true);
var form = new FormData() var form = new FormData()
form.append("formkey", formkey());
if(typeof data === 'object' && data !== null) { if(typeof data === 'object' && data !== null) {
for(let k of Object.keys(data)) { for(let k of Object.keys(data)) {

1
files/assets/js/comments_v.js
View file

@ -11,6 +11,7 @@ function post_toast3(url, button1, button2) {
var xhr = new XMLHttpRequest(); var xhr = new XMLHttpRequest();
xhr.open("POST", url, true); xhr.open("POST", url, true);
var form = new FormData() var form = new FormData()
form.append("formkey", formkey());
if(typeof data === 'object' && data !== null) { if(typeof data === 'object' && data !== null) {
for(let k of Object.keys(data)) { for(let k of Object.keys(data)) {

1
files/assets/js/default.js
View file

@ -91,6 +91,7 @@ function post_toast2(url, button1, button2) {
var xhr = new XMLHttpRequest(); var xhr = new XMLHttpRequest();
xhr.open("POST", url, true); xhr.open("POST", url, true);
var form = new FormData() var form = new FormData()
form.append("formkey", formkey());
if(typeof data === 'object' && data !== null) { if(typeof data === 'object' && data !== null) {
for(let k of Object.keys(data)) { for(let k of Object.keys(data)) {

1
files/assets/js/header.js
View file

@ -9,6 +9,7 @@ function post_toast(url, reload, data) {
var xhr = new XMLHttpRequest(); var xhr = new XMLHttpRequest();
xhr.open("POST", url, true); xhr.open("POST", url, true);
var form = new FormData() var form = new FormData()
form.append("formkey", formkey());
if(typeof data === 'object' && data !== null) { if(typeof data === 'object' && data !== null) {
for(let k of Object.keys(data)) { for(let k of Object.keys(data)) {

6
files/assets/js/settings_block.js → files/assets/js/settings_blocks.js
View file

@ -1,6 +1,8 @@
function block_user() { function formkey() {
return document.getElementById("formkey").innerHTML;
}
var exileForm = document.getElementById("exile-form"); function block_user() {
var usernameField = document.getElementById("exile-username"); var usernameField = document.getElementById("exile-username");

4
files/assets/js/settings_profile.js
View file

@ -1,3 +1,7 @@
function formkey() {
return document.getElementById("formkey").innerHTML;
}
function post(url) { function post(url) {
var xhr = new XMLHttpRequest(); var xhr = new XMLHttpRequest();
xhr.open("POST", url, true); xhr.open("POST", url, true);

82
files/assets/js/userpage.js
View file

@ -1,67 +1,31 @@
function post_toast_callback(url, data, callback) { let uid = document.getElementById('uid')
var xhr = new XMLHttpRequest();
xhr.open("POST", url, true);
var form = new FormData()
if(typeof data === 'object' && data !== null) { if (uid)
for(let k of Object.keys(data)) { {
form.append(k, data[k]); function pause() {
} audio.pause();
document.getElementById("pause1").classList.toggle("d-none");
document.getElementById("play1").classList.toggle("d-none");
document.getElementById("pause2").classList.toggle("d-none");
document.getElementById("play2").classList.toggle("d-none");
} }
form.append("formkey", formkey()); function play() {
xhr.withCredentials=true; audio.play();
document.getElementById("pause1").classList.toggle("d-none");
xhr.onload = function() { document.getElementById("play1").classList.toggle("d-none");
let result = callback(xhr); document.getElementById("pause2").classList.toggle("d-none");
if (xhr.status >= 200 && xhr.status < 300) { document.getElementById("play2").classList.toggle("d-none");
var myToast = new bootstrap.Toast(document.getElementById('toast-post-error'));
myToast.hide();
var myToast = new bootstrap.Toast(document.getElementById('toast-post-success'));
myToast.show();
try {
if(typeof result == "string") {
document.getElementById('toast-post-success-text').innerText = result;
} else {
document.getElementById('toast-post-success-text').innerText = JSON.parse(xhr.response)["message"];
}
} catch(e) {
document.getElementById('toast-post-success-text').innerText = "Action successful!";
} }
return true; window.addEventListener('load', (e) => {
} else {
var myToast = new bootstrap.Toast(document.getElementById('toast-post-success'));
myToast.hide();
var myToast = new bootstrap.Toast(document.getElementById('toast-post-error')); let audio = new Audio(`/songs/${uid}`);
myToast.show(); audio.loop=true;
try { audio.play();
if(typeof result == "string") { document.getElementById('userpage').addEventListener('click', () => {
document.getElementById('toast-post-error-text').innerText = result; if (audio.paused) audio.play();
} else { }, {once : true});
document.getElementById('toast-post-error-text').innerText = JSON.parse(xhr.response)["error"]; });
}
return false
} catch(e) {}
return false;
}
};
xhr.send(form);
}
function toggleElement(group, id) {
for(let el of document.getElementsByClassName(group)) {
if(el.id != id) {
el.classList.add('d-none');
}
}
document.getElementById(id).classList.toggle('d-none');
} }

132
files/assets/js/userpage_v.js Normal file
View file

@ -0,0 +1,132 @@
function post_toast_callback(url, data, callback) {
var xhr = new XMLHttpRequest();
xhr.open("POST", url, true);
var form = new FormData()
form.append("formkey", formkey());
if(typeof data === 'object' && data !== null) {
for(let k of Object.keys(data)) {
form.append(k, data[k]);
}
}
form.append("formkey", formkey());
xhr.withCredentials=true;
xhr.onload = function() {
let result = callback(xhr);
if (xhr.status >= 200 && xhr.status < 300) {
var myToast = new bootstrap.Toast(document.getElementById('toast-post-error'));
myToast.hide();
var myToast = new bootstrap.Toast(document.getElementById('toast-post-success'));
myToast.show();
try {
if(typeof result == "string") {
document.getElementById('toast-post-success-text').innerText = result;
} else {
document.getElementById('toast-post-success-text').innerText = JSON.parse(xhr.response)["message"];
}
} catch(e) {
document.getElementById('toast-post-success-text').innerText = "Action successful!";
}
return true;
} else {
var myToast = new bootstrap.Toast(document.getElementById('toast-post-success'));
myToast.hide();
var myToast = new bootstrap.Toast(document.getElementById('toast-post-error'));
myToast.show();
try {
if(typeof result == "string") {
document.getElementById('toast-post-error-text').innerText = result;
} else {
document.getElementById('toast-post-error-text').innerText = JSON.parse(xhr.response)["error"];
}
return false
} catch(e) {}
return false;
}
};
xhr.send(form);
}
function toggleElement(group, id) {
for(let el of document.getElementsByClassName(group)) {
if(el.id != id) {
el.classList.add('d-none');
}
}
document.getElementById(id).classList.toggle('d-none');
}
let uid = document.getElementById('uid')
if (uid)
{
function pause() {
audio.pause();
document.getElementById("pause1").classList.toggle("d-none");
document.getElementById("play1").classList.toggle("d-none");
document.getElementById("pause2").classList.toggle("d-none");
document.getElementById("play2").classList.toggle("d-none");
}
function play() {
audio.play();
document.getElementById("pause1").classList.toggle("d-none");
document.getElementById("play1").classList.toggle("d-none");
document.getElementById("pause2").classList.toggle("d-none");
document.getElementById("play2").classList.toggle("d-none");
}
window.addEventListener('load', (e) => {
let audio = new Audio(`/songs/${uid}`);
audio.loop=true;
audio.play();
document.getElementById('userpage').addEventListener('click', () => {
if (audio.paused) audio.play();
}, {once : true});
});
}
let TRANSFER_TAX=document.getElementById()
function updateTax(mobile=false) {
let suf = mobile ? "-mobile" : "";
let amount = parseInt(document.getElementById("coins-transfer-amount" + suf).value);
if(isNaN(amount) || amount < 0) {
amount = 0;
}
document.getElementById("coins-transfer-taxed" + suf).innerText = amount - Math.ceil(amount*TRANSFER_TAX);
}
function transferCoins(mobile=false) {
let t = event.target;
t.disabled = true;
let amount = parseInt(document.getElementById("coins-transfer-amount").value);
let transferred = amount - Math.ceil(amount*TRANSFER_TAX);
post_toast_callback("/@{{u.username}}/transfer_coins",
{"amount": document.getElementById(mobile ? "coins-transfer-amount-mobile" : "coins-transfer-amount").value},
(xhr) => {
if(xhr.status == 200) {
document.getElementById("user-coins-amount").innerText = parseInt(document.getElementById("user-coins-amount").innerText) - amount;
document.getElementById("profile-coins-amount-mobile").innerText = parseInt(document.getElementById("profile-coins-amount-mobile").innerText) + transferred;
document.getElementById("profile-coins-amount").innerText = parseInt(document.getElementById("profile-coins-amount").innerText) + transferred;
}
}
);
setTimeout(_ => t.disabled = false, 2000);
}

1
files/assets/js/viewmore.js
View file

@ -3,6 +3,7 @@ function viewmore(pid,sort,offset) {
btn.disabled = true; btn.disabled = true;
btn.innerHTML = "Requesting..."; btn.innerHTML = "Requesting...";
var form = new FormData(); var form = new FormData();
form.append("formkey", formkey());
var xhr = new XMLHttpRequest(); var xhr = new XMLHttpRequest();
xhr.open("post", `/viewmore/${pid}/${sort}/${offset}`); xhr.open("post", `/viewmore/${pid}/${sort}/${offset}`);
xhr.withCredentials=true; xhr.withCredentials=true;

1
files/mail/__init__.py
View file

@ -43,6 +43,7 @@ def send_verification_email(user, email=None):
@app.post("/verify_email") @app.post("/verify_email")
@limiter.limit("1/second") @limiter.limit("1/second")
@auth_required @auth_required
@validate_formkey
def api_verify_email(v): def api_verify_email(v):
send_verification_email(v) send_verification_email(v)

12
files/routes/admin.py
View file

@ -36,6 +36,7 @@ def truescore(v):
@app.post("/@<username>/revert_actions") @app.post("/@<username>/revert_actions")
@limiter.limit("1/second") @limiter.limit("1/second")
@admin_level_required(2) @admin_level_required(2)
@validate_formkey
def revert_actions(v, username): def revert_actions(v, username):
if 'pcm' in request.host or (SITE_NAME == 'Drama' and v.admin_level > 2) or ('rama' not in request.host and 'pcm' not in request.host): if 'pcm' in request.host or (SITE_NAME == 'Drama' and v.admin_level > 2) or ('rama' not in request.host and 'pcm' not in request.host):
user = get_user(username) user = get_user(username)
@ -61,6 +62,7 @@ def revert_actions(v, username):
@app.post("/@<username>/club_allow") @app.post("/@<username>/club_allow")
@limiter.limit("1/second") @limiter.limit("1/second")
@admin_level_required(2) @admin_level_required(2)
@validate_formkey
def club_allow(v, username): def club_allow(v, username):
u = get_user(username, v=v) u = get_user(username, v=v)
@ -84,6 +86,7 @@ def club_allow(v, username):
@app.post("/@<username>/club_ban") @app.post("/@<username>/club_ban")
@limiter.limit("1/second") @limiter.limit("1/second")
@admin_level_required(2) @admin_level_required(2)
@validate_formkey
def club_ban(v, username): def club_ban(v, username):
u = get_user(username, v=v) u = get_user(username, v=v)
@ -107,6 +110,7 @@ def club_ban(v, username):
@app.post("/@<username>/make_admin") @app.post("/@<username>/make_admin")
@limiter.limit("1/second") @limiter.limit("1/second")
@admin_level_required(2) @admin_level_required(2)
@validate_formkey
def make_admin(v, username): def make_admin(v, username):
if 'pcm' in request.host or (SITE_NAME == 'Drama' and v.admin_level > 2) or ('rama' not in request.host and 'pcm' not in request.host): if 'pcm' in request.host or (SITE_NAME == 'Drama' and v.admin_level > 2) or ('rama' not in request.host and 'pcm' not in request.host):
user = get_user(username) user = get_user(username)
@ -120,6 +124,7 @@ def make_admin(v, username):
@app.post("/@<username>/remove_admin") @app.post("/@<username>/remove_admin")
@limiter.limit("1/second") @limiter.limit("1/second")
@admin_level_required(2) @admin_level_required(2)
@validate_formkey
def remove_admin(v, username): def remove_admin(v, username):
if 'pcm' in request.host or (SITE_NAME == 'Drama' and v.admin_level > 2) or ('rama' not in request.host and 'pcm' not in request.host): if 'pcm' in request.host or (SITE_NAME == 'Drama' and v.admin_level > 2) or ('rama' not in request.host and 'pcm' not in request.host):
user = get_user(username) user = get_user(username)
@ -133,6 +138,7 @@ def remove_admin(v, username):
@app.post("/@<username>/make_meme_admin") @app.post("/@<username>/make_meme_admin")
@limiter.limit("1/second") @limiter.limit("1/second")
@admin_level_required(2) @admin_level_required(2)
@validate_formkey
def make_meme_admin(v, username): def make_meme_admin(v, username):
if 'pcm' in request.host or (SITE_NAME == 'Drama' and v.admin_level > 2) or ('rama' not in request.host and 'pcm' not in request.host): if 'pcm' in request.host or (SITE_NAME == 'Drama' and v.admin_level > 2) or ('rama' not in request.host and 'pcm' not in request.host):
user = get_user(username) user = get_user(username)
@ -146,6 +152,7 @@ def make_meme_admin(v, username):
@app.post("/@<username>/remove_meme_admin") @app.post("/@<username>/remove_meme_admin")
@limiter.limit("1/second") @limiter.limit("1/second")
@admin_level_required(2) @admin_level_required(2)
@validate_formkey
def remove_meme_admin(v, username): def remove_meme_admin(v, username):
if 'pcm' in request.host or (SITE_NAME == 'Drama' and v.admin_level > 2) or ('rama' not in request.host and 'pcm' not in request.host): if 'pcm' in request.host or (SITE_NAME == 'Drama' and v.admin_level > 2) or ('rama' not in request.host and 'pcm' not in request.host):
user = get_user(username) user = get_user(username)
@ -159,6 +166,7 @@ def remove_meme_admin(v, username):
@app.post("/admin/monthly") @app.post("/admin/monthly")
@limiter.limit("1/day") @limiter.limit("1/day")
@admin_level_required(2) @admin_level_required(2)
@validate_formkey
def monthly(v): def monthly(v):
if 'pcm' in request.host or (SITE_NAME == 'Drama' and v.admin_level > 2) or ('rama' not in request.host and 'pcm' not in request.host): if 'pcm' in request.host or (SITE_NAME == 'Drama' and v.admin_level > 2) or ('rama' not in request.host and 'pcm' not in request.host):
thing = g.db.query(AwardRelationship).order_by(AwardRelationship.id.desc()).first().id thing = g.db.query(AwardRelationship).order_by(AwardRelationship.id.desc()).first().id
@ -930,6 +938,7 @@ def api_distinguish_post(post_id, v):
@app.post("/sticky/<post_id>") @app.post("/sticky/<post_id>")
@admin_level_required(2) @admin_level_required(2)
@validate_formkey
def api_sticky_post(post_id, v): def api_sticky_post(post_id, v):
post = g.db.query(Submission).filter_by(id=post_id).first() post = g.db.query(Submission).filter_by(id=post_id).first()
@ -965,6 +974,7 @@ def api_sticky_post(post_id, v):
@app.post("/ban_comment/<c_id>") @app.post("/ban_comment/<c_id>")
@limiter.limit("1/second") @limiter.limit("1/second")
@admin_level_required(1) @admin_level_required(1)
@validate_formkey
def api_ban_comment(c_id, v): def api_ban_comment(c_id, v):
comment = g.db.query(Comment).filter_by(id=c_id).first() comment = g.db.query(Comment).filter_by(id=c_id).first()
@ -989,6 +999,7 @@ def api_ban_comment(c_id, v):
@app.post("/unban_comment/<c_id>") @app.post("/unban_comment/<c_id>")
@limiter.limit("1/second") @limiter.limit("1/second")
@admin_level_required(1) @admin_level_required(1)
@validate_formkey
def api_unban_comment(c_id, v): def api_unban_comment(c_id, v):
comment = g.db.query(Comment).filter_by(id=c_id).first() comment = g.db.query(Comment).filter_by(id=c_id).first()
@ -1013,6 +1024,7 @@ def api_unban_comment(c_id, v):
@app.post("/distinguish_comment/<c_id>") @app.post("/distinguish_comment/<c_id>")
@admin_level_required(1) @admin_level_required(1)
@validate_formkey
def admin_distinguish_comment(c_id, v): def admin_distinguish_comment(c_id, v):

3
files/routes/awards.py
View file

@ -234,6 +234,7 @@ def shop(v):
@app.post("/buy/<award>") @app.post("/buy/<award>")
@auth_required @auth_required
@validate_formkey
def buy(v, award): def buy(v, award):
AWARDS = { AWARDS = {
"shit": { "shit": {
@ -446,6 +447,7 @@ def buy(v, award):
@app.post("/post/<pid>/awards") @app.post("/post/<pid>/awards")
@limiter.limit("1/second") @limiter.limit("1/second")
@auth_required @auth_required
@validate_formkey
def award_post(pid, v): def award_post(pid, v):
if v.shadowbanned: return render_template('errors/500.html', v=v), 500 if v.shadowbanned: return render_template('errors/500.html', v=v), 500
@ -603,6 +605,7 @@ def award_post(pid, v):
@app.post("/comment/<cid>/awards") @app.post("/comment/<cid>/awards")
@limiter.limit("1/second") @limiter.limit("1/second")
@auth_required @auth_required
@validate_formkey
def award_comment(cid, v): def award_comment(cid, v):
if v.shadowbanned: return render_template('errors/500.html', v=v), 500 if v.shadowbanned: return render_template('errors/500.html', v=v), 500

7
files/routes/front.py
View file

@ -13,6 +13,7 @@ def slash_post():
@app.post("/clear") @app.post("/clear")
@auth_required @auth_required
@validate_formkey
def clear(v): def clear(v):
for n in v.notifications.filter_by(read=False).all(): for n in v.notifications.filter_by(read=False).all():
n.read = True n.read = True
@ -210,7 +211,8 @@ def frontlist(v=None, sort="hot", page=1, t="all", ids_only=True, filter_words='
posts = posts.filter(Submission.created_utc >= cutoff) posts = posts.filter(Submission.created_utc >= cutoff)
else: cutoff = 0 else: cutoff = 0
posts = posts.filter_by(is_banned=False, stickied=None, private=False, deleted_utc = 0) if sort == "new": posts = posts.filter_by(is_banned=False, private=False, deleted_utc = 0)
else: posts = posts.filter_by(is_banned=False, stickied=None, private=False, deleted_utc = 0)
if v and v.admin_level == 0: if v and v.admin_level == 0:
blocking = [x[0] for x in g.db.query( blocking = [x[0] for x in g.db.query(
@ -263,13 +265,14 @@ def frontlist(v=None, sort="hot", page=1, t="all", ids_only=True, filter_words='
posts = posts[:size] posts = posts[:size]
if sort != "new":
pins = g.db.query(Submission).filter(Submission.stickied != None, Submission.is_banned == False) pins = g.db.query(Submission).filter(Submission.stickied != None, Submission.is_banned == False)
if v and v.admin_level == 0: if v and v.admin_level == 0:
blocking = [x[0] for x in g.db.query(UserBlock.target_id).filter_by(user_id=v.id).all()] blocking = [x[0] for x in g.db.query(UserBlock.target_id).filter_by(user_id=v.id).all()]
blocked = [x[0] for x in g.db.query(UserBlock.user_id).filter_by(target_id=v.id).all()] blocked = [x[0] for x in g.db.query(UserBlock.user_id).filter_by(target_id=v.id).all()]
pins = pins.filter(Submission.author_id.notin_(blocking), Submission.author_id.notin_(blocked)) pins = pins.filter(Submission.author_id.notin_(blocking), Submission.author_id.notin_(blocked))
if page == 1 and not gt and not lt: posts = pins.all() + posts if sort != "new" and page == 1 and not gt and not lt: posts = pins.all() + posts
if ids_only: posts = [x.id for x in posts] if ids_only: posts = [x.id for x in posts]

2
files/routes/oauth.py
View file

@ -38,6 +38,7 @@ def authorize(v):
@app.post("/api_keys") @app.post("/api_keys")
@limiter.limit("1/second") @limiter.limit("1/second")
@is_not_banned @is_not_banned
@validate_formkey
def request_api_keys(v): def request_api_keys(v):
new_app = OauthApp( new_app = OauthApp(
@ -253,6 +254,7 @@ def admin_apps_list(v):
@app.post("/oauth/reroll/<aid>") @app.post("/oauth/reroll/<aid>")
@limiter.limit("1/second") @limiter.limit("1/second")
@auth_required @auth_required
@validate_formkey
def reroll_oauth_tokens(aid, v): def reroll_oauth_tokens(aid, v):
aid = aid aid = aid

2
files/routes/reporting.py
View file

@ -8,6 +8,7 @@ from files.helpers.sanitize import filter_emojis_only
@app.post("/report/post/<pid>") @app.post("/report/post/<pid>")
@limiter.limit("1/second") @limiter.limit("1/second")
@auth_required @auth_required
@validate_formkey
def api_flag_post(pid, v): def api_flag_post(pid, v):
post = get_post(pid) post = get_post(pid)
@ -38,6 +39,7 @@ def api_flag_post(pid, v):
@app.post("/report/comment/<cid>") @app.post("/report/comment/<cid>")
@limiter.limit("1/second") @limiter.limit("1/second")
@auth_required @auth_required
@validate_formkey
def api_flag_comment(cid, v): def api_flag_comment(cid, v):
comment = get_comment(cid) comment = get_comment(cid)

8
files/routes/settings.py
View file

@ -34,6 +34,7 @@ tiers={
@app.post("/settings/removebackground") @app.post("/settings/removebackground")
@limiter.limit("1/second") @limiter.limit("1/second")
@auth_required @auth_required
@validate_formkey
def removebackground(v): def removebackground(v):
v.background = None v.background = None
g.db.add(v) g.db.add(v)
@ -439,6 +440,7 @@ def settings_profile_post(v):
@app.post("/settings/filters") @app.post("/settings/filters")
@auth_required @auth_required
@validate_formkey
def filters(v): def filters(v):
filters=request.values.get("filters")[:1000].strip() filters=request.values.get("filters")[:1000].strip()
@ -810,6 +812,7 @@ def settings_css_get(v):
@app.post("/settings/css") @app.post("/settings/css")
@limiter.limit("1/second") @limiter.limit("1/second")
@auth_required @auth_required
@validate_formkey
def settings_css(v): def settings_css(v):
css = request.values.get("css").strip().replace('\\', '').strip()[:4000] css = request.values.get("css").strip().replace('\\', '').strip()[:4000]
@ -826,14 +829,15 @@ def settings_css(v):
@auth_required @auth_required
def settings_profilecss_get(v): def settings_profilecss_get(v):
if v.truecoins < 1000 and not v.patron and v.admin_level == 0 : return f"You must have +1000 {COINS_NAME} or be a patron to set profile css." if v.truecoins < 1000 and not v.patron and v.admin_level == 0 : return f"You must have +1000 {COINS_NAME} or be a paypig to set profile css."
return render_template("settings_profilecss.html", v=v) return render_template("settings_profilecss.html", v=v)
@app.post("/settings/profilecss") @app.post("/settings/profilecss")
@limiter.limit("1/second") @limiter.limit("1/second")
@auth_required @auth_required
@validate_formkey
def settings_profilecss(v): def settings_profilecss(v):
if v.truecoins < 1000 and not v.patron: return f"You must have +1000 {COINS_NAME} or be a patron to set profile css." if v.truecoins < 1000 and not v.patron: return f"You must have +1000 {COINS_NAME} or be a paypig to set profile css."
profilecss = request.values.get("profilecss").strip().replace('\\', '').strip()[:4000] profilecss = request.values.get("profilecss").strip().replace('\\', '').strip()[:4000]
v.profilecss = profilecss v.profilecss = profilecss
g.db.add(v) g.db.add(v)

1
files/routes/static.py
View file

@ -230,6 +230,7 @@ def contact(v):
@app.post("/contact") @app.post("/contact")
@limiter.limit("1/second") @limiter.limit("1/second")
@auth_required @auth_required
@validate_formkey
def submit_contact(v): def submit_contact(v):
message = f'This message has been sent automatically to all admins via https://{site}/contact, user email is "{v.email}"\n\nMessage:\n\n' + request.values.get("message", "") message = f'This message has been sent automatically to all admins via https://{site}/contact, user email is "{v.email}"\n\nMessage:\n\n' + request.values.get("message", "")
send_admin(v.id, message) send_admin(v.id, message)

11
files/routes/users.py
View file

@ -97,6 +97,7 @@ def downvoting(v, username):
@app.post("/pay_rent") @app.post("/pay_rent")
@limiter.limit("1/second") @limiter.limit("1/second")
@auth_required @auth_required
@validate_formkey
def pay_rent(v): def pay_rent(v):
if v.coins < 500: return "You must have more than 500 coins." if v.coins < 500: return "You must have more than 500 coins."
v.coins -= 500 v.coins -= 500
@ -113,6 +114,7 @@ def pay_rent(v):
@app.post("/steal") @app.post("/steal")
@limiter.limit("1/second") @limiter.limit("1/second")
@is_not_banned @is_not_banned
@validate_formkey
def steal(v): def steal(v):
if int(time.time()) - v.created_utc < 604800: if int(time.time()) - v.created_utc < 604800:
return "You must have an account older than 1 week in order to attempt stealing." return "You must have an account older than 1 week in order to attempt stealing."
@ -167,6 +169,7 @@ def thiefs(v):
@app.post("/@<username>/suicide") @app.post("/@<username>/suicide")
@limiter.limit("1/second") @limiter.limit("1/second")
@auth_required @auth_required
@validate_formkey
def suicide(v, username): def suicide(v, username):
t = int(time.time()) t = int(time.time())
if v.admin_level == 0 and t - v.suicide_utc < 86400: return {"message": "You're on 1-day cooldown!"} if v.admin_level == 0 and t - v.suicide_utc < 86400: return {"message": "You're on 1-day cooldown!"}
@ -312,6 +315,7 @@ def song(song):
@app.post("/subscribe/<post_id>") @app.post("/subscribe/<post_id>")
@limiter.limit("1/second") @limiter.limit("1/second")
@auth_required @auth_required
@validate_formkey
def subscribe(v, post_id): def subscribe(v, post_id):
new_sub = Subscription(user_id=v.id, submission_id=post_id) new_sub = Subscription(user_id=v.id, submission_id=post_id)
g.db.add(new_sub) g.db.add(new_sub)
@ -321,6 +325,7 @@ def subscribe(v, post_id):
@app.post("/unsubscribe/<post_id>") @app.post("/unsubscribe/<post_id>")
@limiter.limit("1/second") @limiter.limit("1/second")
@auth_required @auth_required
@validate_formkey
def unsubscribe(v, post_id): def unsubscribe(v, post_id):
sub=g.db.query(Subscription).filter_by(user_id=v.id, submission_id=post_id).first() sub=g.db.query(Subscription).filter_by(user_id=v.id, submission_id=post_id).first()
if sub: if sub:
@ -337,6 +342,7 @@ def reportbugs(v):
@limiter.limit("1/second") @limiter.limit("1/second")
@limiter.limit("10/hour") @limiter.limit("10/hour")
@auth_required @auth_required
@validate_formkey
def message2(v, username): def message2(v, username):
user = get_user(username, v=v) user = get_user(username, v=v)
@ -400,6 +406,7 @@ def message2(v, username):
@limiter.limit("1/second") @limiter.limit("1/second")
@limiter.limit("6/minute") @limiter.limit("6/minute")
@auth_required @auth_required
@validate_formkey
def messagereply(v): def messagereply(v):
message = request.values.get("body", "").strip()[:1000].strip() message = request.values.get("body", "").strip()[:1000].strip()
@ -727,6 +734,7 @@ def u_username_info(username, v=None):
@app.post("/follow/<username>") @app.post("/follow/<username>")
@limiter.limit("1/second") @limiter.limit("1/second")
@auth_required @auth_required
@validate_formkey
def follow_user(username, v): def follow_user(username, v):
target = get_user(username) target = get_user(username)
@ -752,6 +760,7 @@ def follow_user(username, v):
@app.post("/unfollow/<username>") @app.post("/unfollow/<username>")
@limiter.limit("1/second") @limiter.limit("1/second")
@auth_required @auth_required
@validate_formkey
def unfollow_user(username, v): def unfollow_user(username, v):
target = get_user(username) target = get_user(username)
@ -778,6 +787,7 @@ def unfollow_user(username, v):
@app.post("/remove_follow/<username>") @app.post("/remove_follow/<username>")
@limiter.limit("1/second") @limiter.limit("1/second")
@auth_required @auth_required
@validate_formkey
def remove_follow(username, v): def remove_follow(username, v):
target = get_user(username) target = get_user(username)
@ -869,6 +879,7 @@ def saved_comments(v, username):
@app.post("/fp/<fp>") @app.post("/fp/<fp>")
@auth_required @auth_required
@validate_formkey
def fp(v, fp): def fp(v, fp):
if v.username != fp: if v.username != fp:
v.fp = fp v.fp = fp

1
files/routes/votes.py
View file

@ -196,6 +196,7 @@ def api_vote_comment(comment_id, new, v):
@app.post("/vote/poll/<comment_id>") @app.post("/vote/poll/<comment_id>")
@auth_required @auth_required
@validate_formkey
def api_vote_poll(comment_id, v): def api_vote_poll(comment_id, v):
vote = request.values.get("vote") vote = request.values.get("vote")

2
files/templates/changelog.html
View file

@ -102,6 +102,6 @@
</nav> </nav>
{% endif %} {% endif %}
<script src="/assets/js/changelog.js?v=54"></script> <script src="/assets/js/changelog.js?v=55"></script>
{% endblock %} {% endblock %}

2
files/templates/comments.html
View file

@ -749,7 +749,7 @@
{% if v %} {% if v %}
<script src="/assets/js/marked.js?v=1"></script> <script src="/assets/js/marked.js?v=1"></script>
<script src="/assets/js/comments_v.js?v=85"></script> <script src="/assets/js/comments_v.js?v=86"></script>
{% endif %} {% endif %}
<script src="/assets/js/clipboard.js?v=3"></script> <script src="/assets/js/clipboard.js?v=3"></script>

2
files/templates/default.html
View file

@ -287,7 +287,7 @@
<script src="/assets/js/lozad.js?v=54"></script> <script src="/assets/js/lozad.js?v=54"></script>
{% if v %} {% if v %}
<script src="/assets/js/default.js?v=59"></script> <script src="/assets/js/default.js?v=60"></script>
{% endif %} {% endif %}
<link rel="stylesheet" href="/assets/css/lite-youtube.css?v=3"> <link rel="stylesheet" href="/assets/css/lite-youtube.css?v=3">

2
files/templates/header.html
View file

@ -213,7 +213,7 @@
</div> </div>
</nav> </nav>
<script src="/assets/js/header.js?v=54"></script> <script src="/assets/js/header.js?v=56"></script>
<style> <style>
.notif-count { .notif-count {

6
files/templates/settings_blocks.html
View file

@ -4,7 +4,7 @@
{% block content %} {% block content %}
<script src="/assets/js/settings_block.js?v=2"></script> <script src="/assets/js/settings_blocks.js?v=2"></script>
<div class="row"> <div class="row">
@ -121,4 +121,8 @@
</div> </div>
</div> </div>
{% if v %}
<div id="formkey" class="d-none">{{v.formkey}}</div>
{% endif %}
{% endblock %} {% endblock %}

4
files/templates/settings_profile.html
View file

@ -687,4 +687,8 @@
{% include "emoji_modal.html" %} {% include "emoji_modal.html" %}
{% include "gif_modal.html" %} {% include "gif_modal.html" %}
{% if v %}
<div id="formkey" class="d-none">{{v.formkey}}</div>
{% endif %}
{% endblock %} {% endblock %}

4
files/templates/submission.html
View file

@ -805,7 +805,7 @@
</div> </div>
{% if offset %} {% if offset %}
<script src="/assets/js/viewmore.js?v=1"></script> <script src="/assets/js/viewmore.js?v=2"></script>
{% endif %} {% endif %}
{% elif not p.replies and p.deleted_utc == 0 %} {% elif not p.replies and p.deleted_utc == 0 %}
@ -865,7 +865,7 @@
{% if not p.comment_count %} {% if not p.comment_count %}
{% if v %} {% if v %}
<script src="/assets/js/comments_v.js?v=85"></script> <script src="/assets/js/comments_v.js?v=86"></script>
{% include "award_modal.html" %} {% include "award_modal.html" %}
{% include "emoji_modal.html" %} {% include "emoji_modal.html" %}
{% include "gif_modal.html" %} {% include "gif_modal.html" %}

73
files/templates/userpage.html
View file

@ -35,67 +35,6 @@
{% if v %} {% if v %}
<script> <script>
const TRANSFER_TAX = {% if v.patron or u.patron %}0{% else %}0.03{% endif %};
function updateTax(mobile=false) {
let suf = mobile ? "-mobile" : "";
let amount = parseInt(document.getElementById("coins-transfer-amount" + suf).value);
if(isNaN(amount) || amount < 0) {
amount = 0;
}
document.getElementById("coins-transfer-taxed" + suf).innerText = amount - Math.ceil(amount*TRANSFER_TAX);
}
function transferCoins(mobile=false) {
let t = event.target;
t.disabled = true;
let amount = parseInt(document.getElementById("coins-transfer-amount").value);
let transferred = amount - Math.ceil(amount*TRANSFER_TAX);
post_toast_callback("/@{{u.username}}/transfer_coins",
{"amount": document.getElementById(mobile ? "coins-transfer-amount-mobile" : "coins-transfer-amount").value},
(xhr) => {
if(xhr.status == 200) {
document.getElementById("user-coins-amount").innerText = parseInt(document.getElementById("user-coins-amount").innerText) - amount;
document.getElementById("profile-coins-amount-mobile").innerText = parseInt(document.getElementById("profile-coins-amount-mobile").innerText) + transferred;
document.getElementById("profile-coins-amount").innerText = parseInt(document.getElementById("profile-coins-amount").innerText) + transferred;
}
}
);
setTimeout(_ => t.disabled = false, 2000);
}
</script>
{% endif %}
{% if u.song %}
<script>
var audio = new Audio('/songs/{{u.id}}');
audio.loop=true;
{% if not u.unmutable %}
function pause() {
audio.pause();
document.getElementById("pause1").classList.toggle("d-none");
document.getElementById("play1").classList.toggle("d-none");
document.getElementById("pause2").classList.toggle("d-none");
document.getElementById("play2").classList.toggle("d-none");
}
function play() {
audio.play();
document.getElementById("pause1").classList.toggle("d-none");
document.getElementById("play1").classList.toggle("d-none");
document.getElementById("pause2").classList.toggle("d-none");
document.getElementById("play2").classList.toggle("d-none");
}
{% endif %}
audio.play();
document.getElementById('userpage').addEventListener('click', () => {
if (audio.paused) audio.play();
}, {once : true});
</script> </script>
{% endif %} {% endif %}
@ -780,8 +719,18 @@
{% include "emoji_modal.html" %} {% include "emoji_modal.html" %}
{% endif %} {% endif %}
<script src="/assets/js/userpage.js?v=72"></script>
{% endblock %} {% endblock %}
{% block GIFpicker %} {% block GIFpicker %}
{% if u.song %}
<div id="uid" class="d-none">{{u.id}}</div>
{% endif %}
{% if v}
<script src="/assets/js/userpage_v.js?v=75"></script>
<div id="tax" class="d-none">{% if v.patron or u.patron %}0{% else %}0.03{% endif %}</div>
<div id="username" class="d-none">{{u.username}}</div>
{% endif %}
<script src="/assets/js/userpage.js?v=75"></script>
{% endblock %} {% endblock %}

1
files/templates/userpage_private.html
View file

@ -33,5 +33,4 @@
{% endblock %} {% endblock %}
{% block pagenav %} {% block pagenav %}
<script src="/assets/js/userpage.js?v=72"></script>
{% endblock %} {% endblock %}