fix!: remove /api/post
The code handling /api/post is similar to the code handling /post, but /api/post has some bugs such as allowing banned users to upload files. Making /post the only API able to upload files would reduce duplicated code which reduces the chance of bugs. Although this removes /api/post, it shouldn't cause any issues since /api/post isn't currently usable because it requires a multipart request, but the code uses get_json which only works when the mimetype is application/json.
This commit is contained in:
parent
7c4c0c7ceb
commit
a041e6a21f
52
main
52
main
|
@ -394,58 +394,6 @@ def apilogin():
|
||||||
"error": "https://http.cat/images/400.jpg"
|
"error": "https://http.cat/images/400.jpg"
|
||||||
}, 400
|
}, 400
|
||||||
|
|
||||||
@app.route("/api/post", methods=("GET", "POST"))
|
|
||||||
def apipost():
|
|
||||||
usersession = request.cookies.get("session_DO_NOT_SHARE")
|
|
||||||
if usersession:
|
|
||||||
if request.method == "POST":
|
|
||||||
|
|
||||||
data = request.get_json()
|
|
||||||
title = data["id"]
|
|
||||||
|
|
||||||
if title == "":
|
|
||||||
return {
|
|
||||||
"error": "no title"
|
|
||||||
}, 403
|
|
||||||
|
|
||||||
if "file" not in request.files:
|
|
||||||
return {
|
|
||||||
"error": "no file"
|
|
||||||
}, 403
|
|
||||||
|
|
||||||
file = request.files["file"]
|
|
||||||
if file.filename == "":
|
|
||||||
return {
|
|
||||||
"error": "no file"
|
|
||||||
}, 403
|
|
||||||
|
|
||||||
if not allowed_file(file.filename):
|
|
||||||
return {
|
|
||||||
"error": "invalid file format"
|
|
||||||
}, 403
|
|
||||||
|
|
||||||
filename = secure_filename(file.filename)
|
|
||||||
finalfilename = secrets.token_hex(64) + filename
|
|
||||||
|
|
||||||
file.save(os.path.join(UPLOAD_FOLDER, finalfilename))
|
|
||||||
imgurl = "/cdn/" + finalfilename
|
|
||||||
|
|
||||||
userCookie = get_session(usersession)
|
|
||||||
user = get_user(userCookie["id"])
|
|
||||||
|
|
||||||
if not user["banned"] == "0":
|
|
||||||
return {
|
|
||||||
"error": "banned"
|
|
||||||
}, 403
|
|
||||||
|
|
||||||
conn = get_db_connection()
|
|
||||||
conn.execute("INSERT INTO posts (textstr, imageurl, creator, created) VALUES (?, ?, ?, ?)",
|
|
||||||
(title, imgurl, userCookie["id"], str(time.time())))
|
|
||||||
conn.commit()
|
|
||||||
conn.close()
|
|
||||||
|
|
||||||
return "success", 200
|
|
||||||
|
|
||||||
@app.route("/apidocs", methods=("GET", "POST"))
|
@app.route("/apidocs", methods=("GET", "POST"))
|
||||||
def apidocs():
|
def apidocs():
|
||||||
usersession = request.cookies.get("session_DO_NOT_SHARE")
|
usersession = request.cookies.get("session_DO_NOT_SHARE")
|
||||||
|
|
|
@ -35,7 +35,7 @@
|
||||||
for API things that require authentication, you will need to set the <code>session_DO_NOT_SHARE</code> cookie. the key might expire after 180 days.<br><br>
|
for API things that require authentication, you will need to set the <code>session_DO_NOT_SHARE</code> cookie. the key might expire after 180 days.<br><br>
|
||||||
|
|
||||||
GET <code>/api/frontpage</code> - returns frontpage<br><br>
|
GET <code>/api/frontpage</code> - returns frontpage<br><br>
|
||||||
POST <code>/api/post</code> - post ctas - authentication required<br>
|
POST <code>/post</code> - post ctas - authentication required<br>
|
||||||
<code>title</code>, being the title of the post and <code>file</code>, being an image file.<br>
|
<code>title</code>, being the title of the post and <code>file</code>, being an image file.<br>
|
||||||
Supported file extensions: "png", "apng", "jpg", "jpeg", "gif", "svg", "webp"<br><br>
|
Supported file extensions: "png", "apng", "jpg", "jpeg", "gif", "svg", "webp"<br><br>
|
||||||
POST <code>/api/comment</code> - comment on posts - authentication required<br>
|
POST <code>/api/comment</code> - comment on posts - authentication required<br>
|
||||||
|
|
Reference in New Issue