From a213396854856aad0bde64758c2a0435aa5f5c10 Mon Sep 17 00:00:00 2001
From: justcool393 <justcool393@gmail.com>
Date: Sat, 17 Dec 2022 09:11:51 -0800
Subject: [PATCH] Solve blocking weaponization.

* allow anyone to reply to their blockers

* revert userblocks thing

* get rid of unnecessary template

* make blocking page accurate

* comment author things

* fix prev commit

* fix block page

* comma splice

Co-authored-by: Snakes <104547575+TLSM@users.noreply.github.com>
---
 files/assets/js/comments_v.js         |  8 ++++++--
 files/classes/user.py                 |  9 ++++++++-
 files/routes/comments.py              | 18 ++++++++++++------
 files/routes/users.py                 | 18 ------------------
 files/templates/settings_blocks.html  | 21 +--------------------
 files/templates/userpage_blocked.html | 24 ------------------------
 6 files changed, 27 insertions(+), 71 deletions(-)
 delete mode 100644 files/templates/userpage_blocked.html

diff --git a/files/assets/js/comments_v.js b/files/assets/js/comments_v.js
index 2440a46f1..0ceb03dab 100644
--- a/files/assets/js/comments_v.js
+++ b/files/assets/js/comments_v.js
@@ -315,8 +315,12 @@ function post_comment(fullname,id,level = 1){
 					replyArea.classList.add('d-none');
 				}
 			}
-		}
-		else {
+
+			if (data["message"]) {
+				document.getElementById("toast-post-success-text").innerText = data["message"];
+				bootstrap.Toast.getOrCreateInstance(document.getElementById("toast-post-success")).show();
+			}
+		} else {
 			if (data && data["error"]) document.getElementById('toast-post-error-text').innerText = data["error"];
 			if (data && data["details"]) document.getElementById('toast-post-error-text').innerText = data["details"];
 			else document.getElementById('toast-post-error-text').innerText = "Error, please try again later."
diff --git a/files/classes/user.py b/files/classes/user.py
index b8d256564..d455abc92 100644
--- a/files/classes/user.py
+++ b/files/classes/user.py
@@ -627,11 +627,18 @@ class User(Base):
 	def subscribed_idlist(self, page=1):
 		posts = g.db.query(Subscription.submission_id).filter_by(user_id=self.id).all()
 		return [x[0] for x in posts]
+	
+	@property
+	@lazy
+	def all_userblocks(self):
+		''' User blocks by and targeting this user '''
+		return [x[0] for x in g.db.query(UserBlock.target_id).filter(or_(UserBlock.user_id == self.id, UserBlock.target_id == self.id)).all()]
 
 	@property
 	@lazy
 	def userblocks(self):
-		return [x[0] for x in g.db.query(UserBlock.target_id).filter_by(user_id=self.id).all()] + [x[0] for x in g.db.query(UserBlock.user_id).filter_by(target_id=self.id).all()]
+		''' User blocks by this user '''
+		return [x[0] for x in g.db.query(UserBlock.target_id).filter_by(user_id=self.id).all()]
 
 	@lazy
 	def saved_idlist(self, page=1):
diff --git a/files/routes/comments.py b/files/routes/comments.py
index d31b04160..89c299558 100644
--- a/files/routes/comments.py
+++ b/files/routes/comments.py
@@ -216,8 +216,7 @@ def api_comment(v):
 	if existing:
 		abort(409, f"You already made that comment: /comment/{existing.id}")
 
-	if parent.author.any_block_exists(v) and v.admin_level < 2:
-		abort(403, "You can't reply to users who have blocked you, or users you have blocked.")
+	replying_to_blocked = parent.author.is_blocking(v) and v.admin_level < 2
 
 	is_bot = bool(request.headers.get("Authorization"))
 
@@ -297,10 +296,16 @@ def api_comment(v):
 	g.db.commit()
 
 	if request.headers.get("Authorization"): return c.json
-	return {"comment": render_template("comments.html", v=v, comments=[c], ajax=True, parent_level=level)}
+	
+	if replying_to_blocked:
+		message = "This user has blocked you. You are still welcome to reply " \
+				  "but you will be held to a higher standard of civility than you would be otherwise"
+	else:
+		message = None
+	return {"comment": render_template("comments.html", v=v, comments=[c], ajax=True, parent_level=level), "message": message}
 
 
-def comment_on_publish(comment):
+def comment_on_publish(comment:Comment):
 	"""
 	Run when comment becomes visible: immediately for non-filtered comments,
 	or on approval for previously filtered comments.
@@ -308,10 +313,11 @@ def comment_on_publish(comment):
 	reflect the comments users will actually see.
 	"""
 	# TODO: Get this out of the routes and into a model eventually...
+	author = comment.author
 
 	# Shadowbanned users are invisible. This may lead to inconsistencies if
 	# a user comments while shadowed and is later unshadowed. (TODO?)
-	if comment.author.shadowbanned:
+	if author.shadowbanned:
 		return
 
 	# Comment instances used for purposes other than actual comments (notifs,
@@ -329,7 +335,7 @@ def comment_on_publish(comment):
 	to_notify.update([x[0] for x in post_subscribers])
 
 	parent = comment.parent
-	if parent and parent.author_id != comment.author_id:
+	if parent and parent.author_id != comment.author_id and not parent.author.is_blocking(author):
 		to_notify.add(parent.author_id)
 
 	for uid in to_notify:
diff --git a/files/routes/users.py b/files/routes/users.py
index 3e50ebf0a..2ff31ec20 100644
--- a/files/routes/users.py
+++ b/files/routes/users.py
@@ -772,11 +772,7 @@ def visitors(v):
 @app.get("/@<username>")
 @auth_desired
 def u_username(username, v=None):
-
-
 	u = get_user(username, v=v)
-
-
 	if username != u.username:
 		return redirect(SITE_FULL + request.full_path.replace(username, u.username)[:-1])
 
@@ -803,12 +799,6 @@ def u_username(username, v=None):
 		if request.headers.get("Authorization") or request.headers.get("xhr"): abort(403, f"You are blocking @{u.username}.")
 		return render_template("userpage_blocking.html", u=u, v=v)
 
-
-	if v and v.admin_level < 2 and hasattr(u, 'is_blocked') and u.is_blocked:
-		if request.headers.get("Authorization") or request.headers.get("xhr"): abort(403, "This person is blocking you.")
-		return render_template("userpage_blocked.html", u=u, v=v)
-
-
 	sort = request.values.get("sort", "new")
 	t = request.values.get("t", "all")
 	try: page = max(int(request.values.get("page", 1)), 1)
@@ -858,11 +848,8 @@ def u_username(username, v=None):
 @app.get("/@<username>/comments")
 @auth_desired
 def u_username_comments(username, v=None):
-
 	user = get_user(username, v=v)
-
 	if username != user.username: return redirect(f'/@{user.username}/comments')
-
 	u = user
 
 	if u.reserved:
@@ -880,11 +867,6 @@ def u_username_comments(username, v=None):
 		if request.headers.get("Authorization") or request.headers.get("xhr"): abort(403, f"You are blocking @{u.username}.")
 		return render_template("userpage_blocking.html", u=u, v=v)
 
-	if v and v.admin_level < 2 and hasattr(u, 'is_blocked') and u.is_blocked:
-		if request.headers.get("Authorization") or request.headers.get("xhr"): abort(403, "This person is blocking you.")
-		return render_template("userpage_blocked.html", u=u, v=v)
-
-
 	try: page = max(int(request.values.get("page", "1")), 1)
 	except: page = 1
 	
diff --git a/files/templates/settings_blocks.html b/files/templates/settings_blocks.html
index 9b8838af1..0d093bd18 100644
--- a/files/templates/settings_blocks.html
+++ b/files/templates/settings_blocks.html
@@ -1,15 +1,10 @@
 {% extends "settings.html" %}
-
 {% block pagetitle %}Block Settings - {{SITE_TITLE}}{% endblock %}
-
 {% block content %}
 
 <script src="{{ 'js/settings_blocks.js' | asset }}"></script>
-
 <div class="row">
-
 	<div class="col">
-
 		{% if error %}
 		<div class="alert alert-danger alert-dismissible fade show my-3" role="alert">
 			<i class="fas fa-exclamation-circle my-auto"></i>
@@ -21,29 +16,20 @@
 			</button>
 		</div>
 		{% endif %}
-
 	</div>
-
 </div>
-
-
 <div class="row">
-
 	<div class="col">
-
 		<div class="d-md-flex justify-content-between mb-3">
-
 			<div>
 				<h2 class="h5">Users you block</h2>
-				<p class="text-small text-muted mb-md-0">You have blocked the following users. They cannot reply to your content or notify you with a username mention.</p>
+				<p class="text-small text-muted mb-md-0">You have blocked the following users. They cannot notify you or send you messages and their comments are hidden.</p>
 			</div>
 			<div class="mt-auto">
 				<button class="btn btn-primary" data-bs-toggle="modal" data-bs-target="#blockmodal">Block user</button>
 			</div>
 		</div>
 
-
-
 	{% if v.blocking.first() %}
 	<div class="card mb-5">
 		<div class="overflow-x-auto"><table class="table table-hover rounded mb-0">
@@ -61,9 +47,7 @@
 						<a href="{{block.target.permalink}}">
 							<img loading="lazy" src="{{block.target.profile_url}}" class="pp20 align-top mr-2">@{{block.target.username}}</a>
 					</td>
-
 					<td>{{block.created_date}}</td>
-
 						<td>
 							<div class="dropdown float-right dropdown-actions">
 								<a role="button" id="dropdownMoreLink" data-bs-toggle="dropdown" aria-haspopup="true" aria-expanded="false" style="line-height: 0;">
@@ -87,9 +71,7 @@
 			<p class="font-weight-bold text-gray-500 mb-0">No blocked users</p>
 		</div>
 		{% endif %}
-
 	</div>
-
 </div>
 
 <div class="modal fade" id="blockmodal" tabindex="-1" role="dialog" aria-labelledby="blockmodal" aria-hidden="true">
@@ -120,5 +102,4 @@
 		<i class="fas fa-exclamation-circle text-danger mr-2"></i><span id="toast-error-message">Error. Please try again.</span>
 	</div>
 </div>
-
 {% endblock %}
diff --git a/files/templates/userpage_blocked.html b/files/templates/userpage_blocked.html
deleted file mode 100644
index f7df082cd..000000000
--- a/files/templates/userpage_blocked.html
+++ /dev/null
@@ -1,24 +0,0 @@
-{% extends "default.html" %}
-
-{% block pagetype %}userpage{% endblock %}
-
-{% block fixedMobileBarJS %}
-{% endblock %}
-
-{% block title %}
-<title><span {% if u.patron %}class="patron" style="background-color:#{{u.namecolor}}"{% endif %}>{{u.username}}</span></title>
-
-{% endblock %}
-
-<div class="row no-gutters">
-	<div class="col-12">
-		<div class="text-center py-7 py-md-8">
-			<span class="fa-stack fa-2x text-muted mb-4">
-				<i class="fas fa-square text-danger opacity-25 fa-stack-2x"></i>
-				<i class="fas text-danger fa-user-cog fa-stack-1x text-lg"></i>
-			</span>
-			<h2 class="h5">@{{u.username}} has blocked you.</h2>
-			<p class="text-muted">You can't see their profile.</p>
-		</div>
-	</div>
-</div>