Don't allow non-admins to even generate admin cookies.

They weren't usable due to the checks in reddit_base, but it's safer to not even generate 'em. Thanks to /u/largenocream for reporting this.
2026-01-25 14:58:27 -05:00 · 2013-11-19 16:57:12 -08:00
parent 7547315410
commit 9f5a48f97f
1 changed files with 3 additions and 0 deletions
--- a/r2/r2/controllers/api.py
+++ b/r2/r2/controllers/api.py
@@ -3303,6 +3303,9 @@ class ApiController(RedditController, OAuth2ResourceController):
                   remember=VBoolean("remember"),
                   dest=VDestination())
    def POST_adminon(self, form, jquery, remember, dest):
+        if c.user.name not in g.admins:
+            self.abort403()
+
        if form.has_errors('password', errors.WRONG_PASSWORD):
            return