From e407c29ec726e7f7130b85a6a069b23b44a7f89b Mon Sep 17 00:00:00 2001 From: TLSM Date: Tue, 6 Sep 2022 05:29:25 -0400 Subject: [PATCH] Fix #267: /comments respects shadowbans, filters. Resolves root problem of non-admin users seeing comments they shouldn't by JOINing on the appropriate fields and including them in the WHERE clause of the query. In the process, was also able to remove some unperformant queries that used (potentially extremely long) lists passed to WHERE clauses in lieu of proper JOINs. --- files/routes/front.py | 23 ++++++++++++----------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/files/routes/front.py b/files/routes/front.py index d0d2638ee..081263d97 100644 --- a/files/routes/front.py +++ b/files/routes/front.py @@ -526,19 +526,20 @@ def all_comments(v): @cache.memoize(timeout=86400) def comment_idlist(page=1, v=None, nsfw=False, sort="new", t="all", gt=0, lt=0, site=None): - - comments = g.db.query(Comment.id).filter(Comment.parent_submission != None) + comments = g.db.query(Comment.id) \ + .join(Comment.post) \ + .join(Comment.author) \ + .filter(Comment.parent_submission != None) if v.admin_level < 2: - private = [x[0] for x in g.db.query(Submission.id).filter(Submission.private == True).all()] - - comments = comments.filter(Comment.author_id.notin_(v.userblocks), Comment.is_banned==False, Comment.deleted_utc == 0, Comment.parent_submission.notin_(private)) - - - if not v.paid_dues: - club = [x[0] for x in g.db.query(Submission.id).filter(Submission.club == True).all()] - comments = comments.filter(Comment.parent_submission.notin_(club)) - + comments = comments.filter( + Comment.author_id.notin_(v.userblocks), + Comment.is_banned == False, + Comment.deleted_utc == 0, + Submission.private == False, # comment parent post not private + User.shadowbanned == None, # comment author not shadowbanned + Comment.filter_state.notin_(('filtered', 'removed')), + ) if gt: comments = comments.filter(Comment.created_utc > gt) if lt: comments = comments.filter(Comment.created_utc < lt)