PromoteListingController: return 403 for non-sponsors on special sorts.

2026-04-27 03:00:12 -04:00 · 2014-04-16 14:41:35 -04:00
parent f973a6b1e0
commit 9590c0afa7
1 changed files with 5 additions and 0 deletions
--- a/r2/r2/controllers/promotecontroller.py
+++ b/r2/r2/controllers/promotecontroller.py
@@ -412,6 +412,11 @@ class PromoteListingController(ListingController):
        if not c.user_is_loggedin or not c.user.email_verified:
            # never reached--see MinimalController.on_validation_error
            return self.redirect("/ad_inq")
+
+        if (sort in ('underdelivered', 'reported', 'house') and
+            not c.user_is_sponsor):
+            self.abort403()
+
        self.sort = sort
        self.sr = None
        if sr and sr == Frontpage.name: