API: ensure only reply owner can edit the reply

2025-02-02 16:21:32 -08:00 · 2024-10-13 12:52:20 +00:00 · 2024-10-13 12:52:20 +00:00 · 07010ffaee
commit 07010ffaee
parent 9054f05c1d
2 changed files with 5 additions and 3 deletions
--- a/app/shared/reply.py
+++ b/app/shared/reply.py
@ -352,7 +352,7 @@ def make_reply(input, post, parent_id, src, auth=None):

 def edit_reply(input, reply, post, src, auth=None):
    if src == SRC_API:
-        user = authorise_api_user(auth, return_type='model')
+        user = authorise_api_user(auth, return_type='model', id_match=reply.user_id)
        content = input['body']
        notify_author = input['notify_author']
        language_id = input['language_id']
--- a/app/utils.py
+++ b/app/utils.py
@ -1281,7 +1281,7 @@ def add_to_modlog_activitypub(action: str, actor: User, community_id: int = None
    db.session.commit()


-def authorise_api_user(auth, return_type='id'):
+def authorise_api_user(auth, return_type=None, id_match=None):
    if not auth:
        raise Exception('incorrect_login')
    token = auth[7:]     # remove 'Bearer '
@ -1293,7 +1293,9 @@ def authorise_api_user(auth, return_type='id'):
            issued_at = decoded['iat']      # use to check against blacklisted JWTs
            user = User.query.filter_by(id=user_id, ap_id=None, verified=True, banned=False, deleted=False).scalar()
            if user:
-                if return_type == 'model':
+                if id_match and user.id != id_match:
+                    raise Exception('incorrect_login')
+                if return_type and return_type == 'model':
                    return user
                else:
                    return user.id