diff options
| author | ubq323 <ubq323@ubq323.website> | 2022-05-13 21:46:16 +0100 |
|---|---|---|
| committer | ubq323 <ubq323@ubq323.website> | 2022-05-13 21:46:16 +0100 |
| commit | 6f5741731efac510336e2b5d512b4523b9d8da13 (patch) | |
| tree | 1077add42b932ace8630f5de27421f8e626c4c3e | |
| parent | 3644b35b92494965edb4916fdb368fd49c8d4bf2 (diff) | |
fix permissions for view_post, and 404 instead of redirecting
previously it was possible to see posts you didn't have permissions
to view, by using /view_post/<id>. now, this checks permissions.
previously if a post with the given id did not exist, it would
redirect you back to /, with an error message. now, it gives
a 404 page, which is consistent with the behaviour when a thread
or forum with the given id is not found.
| -rw-r--r-- | apioforum/thread.py | 14 |
1 files changed, 10 insertions, 4 deletions
diff --git a/apioforum/thread.py b/apioforum/thread.py index 4f5c2a0..83b1adc 100644 --- a/apioforum/thread.py +++ b/apioforum/thread.py @@ -339,12 +339,18 @@ def edit_post(post_id): @bp.route("/view_post/<int:post_id>") def view_post(post_id): db = get_db() - post = db.execute("SELECT * FROM posts WHERE id = ?",(post_id,)).fetchone() + post = db.execute(""" + SELECT p.*,h.f_id FROM posts p + INNER JOIN forum_thread_of_post h ON p.id = h.p_id + WHERE p.id = ?; + """,(post_id,)).fetchone() + if post is None: - flash("that post doesn't exist") - return redirect(url_for('index')) + abort(404) + + if not has_permission(post['f_id'], g.user, "p_view_threads", False): + abort(403) - # when we have permissions, insert permissions check here return render_template("view_post.html",post=post) |