From 5cb1f2e68dd1afd79fa28934368c61dfa231e80d Mon Sep 17 00:00:00 2001
From: Chad Birch <chad.birch@gmail.com>
Date: Wed, 26 Feb 2014 13:48:32 -0700
Subject: [PATCH] Subreddits: prevent contradictory status changes

This change makes it so that is no longer possible to ban a moderator,
or add a banned user as a mod/contributor/wiki-contributor.
---
 r2/r2/controllers/api.py         | 11 ++++++++++-
 r2/r2/lib/errors.py              |  1 +
 r2/r2/templates/modlisting.html  |  1 +
 r2/r2/templates/userlisting.html |  2 ++
 4 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/r2/r2/controllers/api.py b/r2/r2/controllers/api.py
index be57d50e9..567a7db26 100755
--- a/r2/r2/controllers/api.py
+++ b/r2/r2/controllers/api.py
@@ -844,11 +844,20 @@ class ApiController(RedditController):
         else:
             permissions = None
 
-        if type == "moderator_invite" and container.is_moderator(friend):
+        if (type in ("banned", "moderator_invite") and
+                container.is_moderator(friend)):
             c.errors.add(errors.ALREADY_MODERATOR, field="name")
             form.set_error(errors.ALREADY_MODERATOR, "name")
             return
 
+        # don't allow increasing privileges of banned users
+        unbanned_types = ("moderator", "moderator_invite",
+                          "contributor", "wikicontributor")
+        if type in unbanned_types and container.is_banned(friend):
+            c.errors.add(errors.BANNED_FROM_SUBREDDIT, field="name")
+            form.set_error(errors.BANNED_FROM_SUBREDDIT, "name")
+            return
+
         if type == "moderator":
             container.remove_moderator_invite(friend)
 
diff --git a/r2/r2/lib/errors.py b/r2/r2/lib/errors.py
index 100c192ad..b6df504be 100644
--- a/r2/r2/lib/errors.py
+++ b/r2/r2/lib/errors.py
@@ -135,6 +135,7 @@ error_list = dict((
         ('JSON_MISSING_KEY', _('JSON missing key: "%(key)s"')),
         ('NO_CHANGE_KIND', _("can't change post type")),
         ('INVALID_LOCATION', _("invalid location")),
+        ('BANNED_FROM_SUBREDDIT', _('that user is banned from the subreddit')),
     ))
 
 errors = Storage([(e, e) for e in error_list.keys()])
diff --git a/r2/r2/templates/modlisting.html b/r2/r2/templates/modlisting.html
index 15daca55a..c6292e25c 100644
--- a/r2/r2/templates/modlisting.html
+++ b/r2/r2/templates/modlisting.html
@@ -52,6 +52,7 @@
   %if thing.addable and thing.has_add_form:
     <%call expr="add_form(thing.form_title, thing.destination, thing.type, thing.container_name, verb=_('add'))">
       ${error_field("ALREADY_MODERATOR", "name")}
+      ${error_field("BANNED_FROM_SUBREDDIT", "name")}
     </%call>
   %endif
   ${listing()}
diff --git a/r2/r2/templates/userlisting.html b/r2/r2/templates/userlisting.html
index 14402223d..d6448799e 100644
--- a/r2/r2/templates/userlisting.html
+++ b/r2/r2/templates/userlisting.html
@@ -60,6 +60,8 @@
     <button class="btn" type="submit">${verb or _("add")}</button>
     <span class="status"></span>
     ${error_field("USER_DOESNT_EXIST", "name")}
+    ${error_field("ALREADY_MODERATOR", "name")}
+    ${error_field("BANNED_FROM_SUBREDDIT", "name")}
     %if caller:
       ${caller.body()}
     %endif