Fix permissions when calling /api/flair on links across subreddits.

2026-04-27 03:00:12 -04:00 · 2012-04-19 17:11:16 -07:00
parent a058ae02f4
commit b6c89a349b
1 changed files with 5 additions and 0 deletions
--- a/r2/r2/controllers/api.py
+++ b/r2/r2/controllers/api.py
@@ -2135,6 +2135,11 @@ class ApiController(RedditController):
                site = c.site
            else:
                site = Subreddit._byID(link.sr_id, data=True)
+                # make sure c.user has permission to set flair on this link
+                if not (c.user_is_admin or site.is_moderator(c.user)
+                        or (site.link_flair_self_assign_enabled
+                            and link.author_id == c.user._id)):
+                    abort(403, 'forbidden')
        else:
            flair_type = USER_FLAIR
            site = c.site