Merge remote-tracking branch 'origin/frost' into themotte-issue-451

files/routes/__init__.py

@@ -1,3 +1,5 @@
+from files.__main__ import app
+
 from .admin import *
 from .comments import *
 from .errors import *
@@ -15,4 +17,6 @@ from .feeds import *
 from .awards import *
 from .giphy import *
 from .volunteer import *
+if app.debug:
+	from .dev import *
 # from .subs import *

files/routes/awards.py

@@ -336,7 +336,7 @@ def admin_userawards_post(v):
 	try: u = request.values.get("username").strip()
 	except: abort(404)
 
-	whitelist = ("shit", "fireflies", "train", "scooter", "wholesome", "tilt", "glowie")
+	whitelist = ("shit", "fireflies", "train", "scooter", "wholesome", "glowie")
 
 	u = get_user(u, graceful=False, v=v)
 

files/routes/dev.py

@@ -0,0 +1,20 @@
+from secrets import token_hex
+from flask import session, redirect, request
+
+from files.helpers.const import PERMS
+from files.helpers.get import get_user
+from files.helpers.wrappers import admin_level_required
+from files.__main__ import app
+
+if not app.debug:
+	raise ImportError("Importing dev routes is not allowed outside of debug mode!")
+
+@app.post('/dev/sessions/')
+@admin_level_required(PERMS['DEBUG_LOGIN_TO_OTHERS'])
+def login_to_other_account(v):
+	u = get_user(request.values.get('username'))
+	session.permanent = True
+	session["lo_user"] = u.id
+	session["login_nonce"] = u.login_nonce
+	session["session_id"] = token_hex(49)
+	return redirect('/')

files/routes/front.py

@@ -1,5 +1,6 @@
 from files.helpers.wrappers import *
 from files.helpers.get import *
+from files.helpers.strings import sql_ilike_clean
 from files.__main__ import app, cache, limiter
 from files.classes.submission import Submission
 from files.helpers.contentsorting import apply_time_filter, sort_objects
@@ -269,7 +270,7 @@ def frontlist(v=None, sort='new', page=1, t="all", ids_only=True, ccmode="false"
 
 	if v and filter_words:
 		for word in filter_words:
-			word  = word.replace(r'\\', '').replace('_', r'\_').replace('%', r'\%').strip()
+			word  = sql_ilike_clean(word).strip()
 			posts=posts.filter(not_(Submission.title.ilike(f'%{word}%')))
 
 	if not (v and v.shadowbanned):

files/routes/login.py

@@ -2,7 +2,6 @@ from urllib.parse import urlencode
 from files.mail import *
 from files.__main__ import app, limiter
 from files.helpers.const import *
-from files.helpers.strings import sql_ilike_clean
 import requests
 
 @app.get("/login")
@@ -90,7 +89,7 @@ def login_post():
 	if username.startswith('@'): username = username[1:]
 
 	if "@" in username:
-		try: account = g.db.query(User).filter(User.email.ilike(sql_ilike_clean(username))).one_or_none()
+		try: account = g.db.query(User).filter(func.lower(User.email) == username.lower()).one_or_none()
 		except: return "Multiple users use this email!"
 	else: account = get_user(username, graceful=True)
 
@@ -189,8 +188,7 @@ def sign_up_get(v):
 	ref = request.values.get("ref")
 
 	if ref:
-		ref  = sql_ilike_clean(ref)
-		ref_user = g.db.query(User).filter(User.username.ilike(ref)).one_or_none()
+		ref_user = g.db.query(User).filter(func.lower(User.username) == ref.lower()).one_or_none()
 
 	else:
 		ref_user = None
@@ -386,13 +384,11 @@ def post_forgot():
 	if not email_regex.fullmatch(email):
 		return render_template("forgot_password.html", error="Invalid email.")
 
-
-	username  = sql_ilike_clean(username.lstrip('@'))
-	email  = sql_ilike_clean(email)
+	username  = username.lstrip('@')
 
 	user = g.db.query(User).filter(
-		User.username.ilike(username),
-		User.email.ilike(email)).one_or_none()
+		func.lower(User.username) == username.lower(),
+		func.lower(User.email) == email.lower()).one_or_none()
 
 	if user:
 		now = int(time.time())

files/routes/posts.py

@@ -2,10 +2,10 @@ import time
 import gevent
 from files.helpers.wrappers import *
 from files.helpers.sanitize import *
-from files.helpers.strings import sql_ilike_clean
 from files.helpers.alerts import *
 from files.helpers.contentsorting import sort_objects
 from files.helpers.const import *
+from files.helpers.strings import sql_ilike_clean
 from files.classes import *
 from flask import *
 from io import BytesIO
@@ -658,7 +658,7 @@ def api_is_repost():
 
 	if url.endswith('/'): url = url[:-1]
 
-	search_url = url.replace('%', '').replace(r'\\', '').replace('_', r'\_').strip()
+	search_url = sql_ilike_clean(url)
 	repost = g.db.query(Submission).filter(
 		Submission.url.ilike(search_url),
 		Submission.deleted_utc == 0,
@@ -735,13 +735,12 @@ def submit_post(v, sub=None):
 								query=urlencode(filtered, doseq=True),
 								fragment=parsed_url.fragment)
 		
-		url = urlunparse(new_url)
+		search_url = urlunparse(new_url)
 
-		if url.endswith('/'): url = url[:-1]
+		if search_url.endswith('/'): url = url[:-1]
 
-		search_url = sql_ilike_clean(url)
 		repost = g.db.query(Submission).filter(
-			Submission.url.ilike(search_url),
+			func.lower(Submission.url) == search_url.lower(),
 			Submission.deleted_utc == 0,
 			Submission.is_banned == False
 		).first()

files/routes/search.py

@@ -72,8 +72,7 @@ def searchposts(v):
 		else: posts = posts.filter(Submission.author_id == author.id)
 
 	if 'q' in criteria:
-		words=criteria['q'].split()
-		words = criteria['q'].replace(r'\\', '').replace('_', r'\_').replace('%', r'\%').strip().split()
+		words = sql_ilike_clean(criteria['q']).split()
 		words=[Submission.title.ilike('%'+x+'%') for x in words]
 		posts=posts.filter(*words)
 		
@@ -158,7 +157,7 @@ def searchcomments(v):
 		else: comments = comments.filter(Comment.author_id == author.id)
 
 	if 'q' in criteria:
-		words = criteria['q'].replace(r'\\', '').replace('_', r'\_').replace('%', r'\%').strip().split()
+		words = sql_ilike_clean(criteria['q']).split()
 
 		words = [Comment.body.ilike('%'+x+'%') for x in words]
 		comments = comments.filter(*words)

files/routes/settings.py

@@ -626,12 +626,10 @@ def settings_name_change(v):
 						   v=v,
 						   error="This isn't a valid username.")
 
-	search_name = sql_ilike_clean(new_name)
-
-	x= g.db.query(User).filter(
+	x = g.db.query(User).filter(
 		or_(
-			User.username.ilike(search_name),
-			User.original_username.ilike(search_name)
+			func.lower(User.username) == new_name.lower(),
+			func.lower(User.original_username) == new_name.lower()
 			)
 		).one_or_none()
 

files/routes/volunteer.py

@@ -6,7 +6,7 @@ import files.helpers.jinja2
 from files.helpers.wrappers import auth_required
 from files.routes.volunteer_common import VolunteerDuty
 import files.routes.volunteer_janitor
-from flask import render_template, g, request
+from flask import abort, render_template, g, request
 from os import environ
 import sqlalchemy
 from typing import Optional

files/routes/volunteer_janitor.py

@@ -1,4 +1,5 @@
 
+from typing import Optional
 from files.__main__ import app
 from files.classes.comment import Comment
 from files.classes.flags import CommentFlag
@@ -33,7 +34,7 @@ class VolunteerDutyJanitor(VolunteerDuty):
         return g.db.query(Comment).where(Comment.id.in_(self.choices))
 
 
-def get_duty(u: User) -> VolunteerDutyJanitor:
+def get_duty(u: User) -> Optional[VolunteerDutyJanitor]:
     if not app.config['VOLUNTEER_JANITOR_ENABLE']:
         return None