fix!: remove /api/post

The code handling /api/post is similar to the code handling /post, but /api/post has some bugs such as allowing banned users to upload files. Making /post the only API able to upload files would reduce duplicated code which reduces the chance of bugs. Although this removes /api/post, it shouldn't cause any issues since /api/post isn't currently usable because it requires a multipart request, but the code uses get_json which only works when the mimetype is application/json.
2023-07-12 01:55:30 +00:00 · 2023-07-12 01:55:30 +00:00 · a041e6a21f
parent 7c4c0c7ceb
commit a041e6a21f
2 changed files with 3 additions and 55 deletions
--- a/54
+++ b/54
@ -394,58 +394,6 @@ def apilogin():
            "error": "https://http.cat/images/400.jpg"
        }, 400

-@app.route("/api/post", methods=("GET", "POST"))
-def apipost():
-    usersession = request.cookies.get("session_DO_NOT_SHARE")
-    if usersession:
-        if request.method == "POST":
-
-            data = request.get_json()
-            title = data["id"]
-
-            if title == "":
-                return {
-                    "error": "no title"
-                }, 403
-
-            if "file" not in request.files:
-                return {
-                    "error": "no file"
-                }, 403
-
-            file = request.files["file"]
-            if file.filename == "":
-                return {
-                    "error": "no file"
-                }, 403
-
-            if not allowed_file(file.filename):
-                return {
-                    "error": "invalid file format"
-                }, 403
-            
-            filename = secure_filename(file.filename)
-            finalfilename = secrets.token_hex(64) + filename
-
-            file.save(os.path.join(UPLOAD_FOLDER, finalfilename))
-            imgurl = "/cdn/" + finalfilename
-
-            userCookie = get_session(usersession)
-            user = get_user(userCookie["id"])
-
-            if not user["banned"] == "0":
-                return {
-                    "error": "banned"
-                }, 403
-
-            conn = get_db_connection()
-            conn.execute("INSERT INTO posts (textstr, imageurl, creator, created) VALUES (?, ?, ?, ?)",
-                         (title, imgurl, userCookie["id"], str(time.time())))
-            conn.commit()
-            conn.close()
-
-            return "success", 200
-
@app.route("/apidocs", methods=("GET", "POST"))
 def apidocs():
    usersession = request.cookies.get("session_DO_NOT_SHARE")
@ -750,4 +698,4 @@ if __name__ == "__main__":
        sock.bind(('', int(PORT)))
        serve(app, sockets=[sock])

-    print("[INFO] Server stopped")
+    print("[INFO] Server stopped")
--- a/templates/apidocs.html
+++ b/templates/apidocs.html
@ -35,7 +35,7 @@
    for API things that require authentication, you will need to set the <code>session_DO_NOT_SHARE</code> cookie. the key might expire after 180 days.<br><br>
    
    GET <code>/api/frontpage</code> - returns frontpage<br><br>
-    POST <code>/api/post</code> - post ctas - authentication required<br>
+    POST <code>/post</code> - post ctas - authentication required<br>
    <code>title</code>, being the title of the post and <code>file</code>, being an image file.<br>
    Supported file extensions: "png", "apng", "jpg", "jpeg", "gif", "svg", "webp"<br><br>
    POST <code>/api/comment</code> - comment on posts - authentication required<br>
@ -50,4 +50,4 @@
    </div>
 </body>

-</html>
+</html>