Disallow editing first party apps via the web interface.

2026-04-27 03:00:12 -04:00 · 2016-04-20 15:43:56 -07:00
parent d0a8491c32
commit 543486cd14
3 changed files with 13 additions and 0 deletions
--- a/r2/r2/controllers/api.py
+++ b/r2/r2/controllers/api.py
@@ -4828,6 +4828,9 @@ class ApiController(RedditController):
        if client_id:
            # client_id was specified, updating existing OAuth2Client
            client = OAuth2Client.get_token(client_id)
+            if client.is_first_party() and not c.user_is_admin:
+                form.set_text('.status', _('this app can not be modified from this interface'))
+                return
            if app_type != client.app_type:
                # App type cannot be changed after creation
                abort(400, "invalid request")
@@ -4875,6 +4878,10 @@ class ApiController(RedditController):
            return
        if form.has_errors('name', errors.USER_DOESNT_EXIST, errors.NO_USER):
            return
+        if client.is_first_party() and not c.user_is_admin:
+            c.errors.add(errors.DEVELOPER_FIRST_PARTY_APP, field='name')
+            form.set_error(errors.DEVELOPER_FIRST_PARTY_APP, 'name')
+            return
        if client.has_developer(account):
            c.errors.add(errors.DEVELOPER_ALREADY_ADDED, field='name')
            form.set_error(errors.DEVELOPER_ALREADY_ADDED, 'name')
@@ -4897,6 +4904,10 @@ class ApiController(RedditController):
                   client=VOAuth2ClientDeveloper(),
                   account=VExistingUname('name'))
    def POST_removedeveloper(self, form, jquery, client, account):
+        if client.is_first_party() and not c.user_is_admin:
+            c.errors.add(errors.DEVELOPER_FIRST_PARTY_APP, field='name')
+            form.set_error(errors.DEVELOPER_FIRST_PARTY_APP, 'name')
+            return
        if client and account and not form.has_errors('name'):
            client.remove_developer(account)
            if account._id == c.user._id:
--- a/r2/r2/lib/errors.py
+++ b/r2/r2/lib/errors.py
@@ -138,6 +138,7 @@ error_list = dict((
        ('BAD_IMAGE', _('image problem')),
        ('DEVELOPER_ALREADY_ADDED', _('already added')),
        ('TOO_MANY_DEVELOPERS', _('too many developers')),
+        ('DEVELOPER_FIRST_PARTY_APP', _('this app can not be modified from this interface')),
        ('INVALID_MODHASH', _("invalid modhash")),
        ('ALREADY_MODERATOR', _('that user is already a moderator')),
        ('CANT_RESTRICT_MODERATOR', _("You can't perform that action because that user is a moderator.")),
--- a/r2/r2/templates/prefapps.html
+++ b/r2/r2/templates/prefapps.html
@@ -194,6 +194,7 @@ ${utils.radio_type('app_type', "script", _("script"),
                ${error_field('DEVELOPER_ALREADY_ADDED', 'name')}
                ${error_field('USER_DOESNT_EXIST', 'name')}
                ${error_field('NO_USER', 'name')}
+                ${error_field('DEVELOPER_FIRST_PARTY_APP', 'name')}
                <span class="status"></span>
              </form>
            </td>