From 6f5741731efac510336e2b5d512b4523b9d8da13 Mon Sep 17 00:00:00 2001 From: ubq323 Date: Fri, 13 May 2022 21:46:16 +0100 Subject: fix permissions for view_post, and 404 instead of redirecting previously it was possible to see posts you didn't have permissions to view, by using /view_post/. now, this checks permissions. previously if a post with the given id did not exist, it would redirect you back to /, with an error message. now, it gives a 404 page, which is consistent with the behaviour when a thread or forum with the given id is not found. --- apioforum/thread.py | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/apioforum/thread.py b/apioforum/thread.py index 4f5c2a0..83b1adc 100644 --- a/apioforum/thread.py +++ b/apioforum/thread.py @@ -339,12 +339,18 @@ def edit_post(post_id): @bp.route("/view_post/") def view_post(post_id): db = get_db() - post = db.execute("SELECT * FROM posts WHERE id = ?",(post_id,)).fetchone() + post = db.execute(""" + SELECT p.*,h.f_id FROM posts p + INNER JOIN forum_thread_of_post h ON p.id = h.p_id + WHERE p.id = ?; + """,(post_id,)).fetchone() + if post is None: - flash("that post doesn't exist") - return redirect(url_for('index')) + abort(404) + + if not has_permission(post['f_id'], g.user, "p_view_threads", False): + abort(403) - # when we have permissions, insert permissions check here return render_template("view_post.html",post=post) -- cgit v1.2.3