From a041e6a21f3f789257ecb8fe45334bc09cf7985f Mon Sep 17 00:00:00 2001 From: TestingPlant <> Date: Wed, 12 Jul 2023 01:55:30 +0000 Subject: [PATCH] fix!: remove /api/post The code handling /api/post is similar to the code handling /post, but /api/post has some bugs such as allowing banned users to upload files. Making /post the only API able to upload files would reduce duplicated code which reduces the chance of bugs. Although this removes /api/post, it shouldn't cause any issues since /api/post isn't currently usable because it requires a multipart request, but the code uses get_json which only works when the mimetype is application/json. --- main | 54 +----------------------------------------- templates/apidocs.html | 4 ++-- 2 files changed, 3 insertions(+), 55 deletions(-) diff --git a/main b/main index 64a1f11..42c3be4 100644 --- a/main +++ b/main @@ -394,58 +394,6 @@ def apilogin(): "error": "https://http.cat/images/400.jpg" }, 400 -@app.route("/api/post", methods=("GET", "POST")) -def apipost(): - usersession = request.cookies.get("session_DO_NOT_SHARE") - if usersession: - if request.method == "POST": - - data = request.get_json() - title = data["id"] - - if title == "": - return { - "error": "no title" - }, 403 - - if "file" not in request.files: - return { - "error": "no file" - }, 403 - - file = request.files["file"] - if file.filename == "": - return { - "error": "no file" - }, 403 - - if not allowed_file(file.filename): - return { - "error": "invalid file format" - }, 403 - - filename = secure_filename(file.filename) - finalfilename = secrets.token_hex(64) + filename - - file.save(os.path.join(UPLOAD_FOLDER, finalfilename)) - imgurl = "/cdn/" + finalfilename - - userCookie = get_session(usersession) - user = get_user(userCookie["id"]) - - if not user["banned"] == "0": - return { - "error": "banned" - }, 403 - - conn = get_db_connection() - conn.execute("INSERT INTO posts (textstr, imageurl, creator, created) VALUES (?, ?, ?, ?)", - (title, imgurl, userCookie["id"], str(time.time()))) - conn.commit() - conn.close() - - return "success", 200 - @app.route("/apidocs", methods=("GET", "POST")) def apidocs(): usersession = request.cookies.get("session_DO_NOT_SHARE") @@ -750,4 +698,4 @@ if __name__ == "__main__": sock.bind(('', int(PORT))) serve(app, sockets=[sock]) - print("[INFO] Server stopped") \ No newline at end of file + print("[INFO] Server stopped") diff --git a/templates/apidocs.html b/templates/apidocs.html index 28c7118..5cb8f28 100644 --- a/templates/apidocs.html +++ b/templates/apidocs.html @@ -35,7 +35,7 @@ for API things that require authentication, you will need to set the session_DO_NOT_SHARE cookie. the key might expire after 180 days.

GET /api/frontpage - returns frontpage

- POST /api/post - post ctas - authentication required
+ POST /post - post ctas - authentication required
title, being the title of the post and file, being an image file.
Supported file extensions: "png", "apng", "jpg", "jpeg", "gif", "svg", "webp"

POST /api/comment - comment on posts - authentication required
@@ -50,4 +50,4 @@ - \ No newline at end of file +