fix!: remove /api/post

The code handling /api/post is similar to the code handling /post, but
/api/post has some bugs such as allowing banned users to upload files.
Making /post the only API able to upload files would reduce duplicated
code which reduces the chance of bugs.

Although this removes /api/post, it shouldn't cause any issues since
/api/post isn't currently usable because it requires a multipart
request, but the code uses get_json which only works when the
mimetype is application/json.
This commit is contained in:
TestingPlant 2023-07-12 01:55:30 +00:00 committed by TestingPlant
parent 7c4c0c7ceb
commit a041e6a21f
2 changed files with 3 additions and 55 deletions

52
main
View File

@ -394,58 +394,6 @@ def apilogin():
"error": "https://http.cat/images/400.jpg" "error": "https://http.cat/images/400.jpg"
}, 400 }, 400
@app.route("/api/post", methods=("GET", "POST"))
def apipost():
usersession = request.cookies.get("session_DO_NOT_SHARE")
if usersession:
if request.method == "POST":
data = request.get_json()
title = data["id"]
if title == "":
return {
"error": "no title"
}, 403
if "file" not in request.files:
return {
"error": "no file"
}, 403
file = request.files["file"]
if file.filename == "":
return {
"error": "no file"
}, 403
if not allowed_file(file.filename):
return {
"error": "invalid file format"
}, 403
filename = secure_filename(file.filename)
finalfilename = secrets.token_hex(64) + filename
file.save(os.path.join(UPLOAD_FOLDER, finalfilename))
imgurl = "/cdn/" + finalfilename
userCookie = get_session(usersession)
user = get_user(userCookie["id"])
if not user["banned"] == "0":
return {
"error": "banned"
}, 403
conn = get_db_connection()
conn.execute("INSERT INTO posts (textstr, imageurl, creator, created) VALUES (?, ?, ?, ?)",
(title, imgurl, userCookie["id"], str(time.time())))
conn.commit()
conn.close()
return "success", 200
@app.route("/apidocs", methods=("GET", "POST")) @app.route("/apidocs", methods=("GET", "POST"))
def apidocs(): def apidocs():
usersession = request.cookies.get("session_DO_NOT_SHARE") usersession = request.cookies.get("session_DO_NOT_SHARE")

View File

@ -35,7 +35,7 @@
for API things that require authentication, you will need to set the <code>session_DO_NOT_SHARE</code> cookie. the key might expire after 180 days.<br><br> for API things that require authentication, you will need to set the <code>session_DO_NOT_SHARE</code> cookie. the key might expire after 180 days.<br><br>
GET <code>/api/frontpage</code> - returns frontpage<br><br> GET <code>/api/frontpage</code> - returns frontpage<br><br>
POST <code>/api/post</code> - post ctas - authentication required<br> POST <code>/post</code> - post ctas - authentication required<br>
<code>title</code>, being the title of the post and <code>file</code>, being an image file.<br> <code>title</code>, being the title of the post and <code>file</code>, being an image file.<br>
Supported file extensions: "png", "apng", "jpg", "jpeg", "gif", "svg", "webp"<br><br> Supported file extensions: "png", "apng", "jpg", "jpeg", "gif", "svg", "webp"<br><br>
POST <code>/api/comment</code> - comment on posts - authentication required<br> POST <code>/api/comment</code> - comment on posts - authentication required<br>