Merge remote-tracking branch 'origin/main'

2025-01-23 19:36:56 -08:00 · 2024-10-14 12:35:38 +13:00 · 2024-10-14 12:35:38 +13:00 · d8c75991cd
commit d8c75991cd
parent f1ddbcf008 07010ffaee
3 changed files with 11 additions and 5 deletions
--- a/app/api/alpha/utils/reply.py
+++ b/app/api/alpha/utils/reply.py
@ -125,7 +125,9 @@ def post_reply(auth, data):
    body = data['body']
    post_id = data['post_id']
    parent_id = data['parent_id'] if 'parent_id' in data else None
-    language_id = data['language_id'] if 'language_id' in data else 2
+    language_id = data['language_id'] if 'language_id' in data else 2       # FIXME: use site language
+    if language_id < 2:
+        language_id = 2                                                     # FIXME: use site language

    input = {'body': body, 'notify_author': True, 'language_id': language_id}
    post = Post.query.get(post_id)
@ -145,7 +147,9 @@ def put_reply(auth, data):

    reply_id = data['comment_id']
    body = data['body'] if 'body' in data else ''
-    language_id = data['language_id'] if 'language_id' in data else 2
+    language_id = data['language_id'] if 'language_id' in data else 2       # FIXME: use site language
+    if language_id < 2:
+        language_id = 2                                                     # FIXME: use site language

    input = {'body': body, 'notify_author': True, 'language_id': language_id}
    reply = PostReply.query.get(reply_id)
--- a/app/shared/reply.py
+++ b/app/shared/reply.py
@ -352,7 +352,7 @@ def make_reply(input, post, parent_id, src, auth=None):

 def edit_reply(input, reply, post, src, auth=None):
    if src == SRC_API:
-        user = authorise_api_user(auth, return_type='model')
+        user = authorise_api_user(auth, return_type='model', id_match=reply.user_id)
        content = input['body']
        notify_author = input['notify_author']
        language_id = input['language_id']
--- a/app/utils.py
+++ b/app/utils.py
@ -1281,7 +1281,7 @@ def add_to_modlog_activitypub(action: str, actor: User, community_id: int = None
    db.session.commit()


-def authorise_api_user(auth, return_type='id'):
+def authorise_api_user(auth, return_type=None, id_match=None):
    if not auth:
        raise Exception('incorrect_login')
    token = auth[7:]     # remove 'Bearer '
@ -1293,7 +1293,9 @@ def authorise_api_user(auth, return_type='id'):
            issued_at = decoded['iat']      # use to check against blacklisted JWTs
            user = User.query.filter_by(id=user_id, ap_id=None, verified=True, banned=False, deleted=False).scalar()
            if user:
-                if return_type == 'model':
+                if id_match and user.id != id_match:
+                    raise Exception('incorrect_login')
+                if return_type and return_type == 'model':
                    return user
                else:
                    return user.id