From cc7b9f86e5fe63a7fb319bb6bfcc83f1efdcb544 Mon Sep 17 00:00:00 2001 From: Brian Simpson Date: Sun, 9 Mar 2014 14:58:37 -0400 Subject: [PATCH] POST_subscribe: return errors rather than silently fail. --- r2/r2/controllers/api.py | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/r2/r2/controllers/api.py b/r2/r2/controllers/api.py index 25d8e3882..41693b668 100755 --- a/r2/r2/controllers/api.py +++ b/r2/r2/controllers/api.py @@ -2883,22 +2883,27 @@ class ApiController(RedditController): See also: [/subreddits/mine/](#GET_subreddits_mine_{where}). """ - # only users who can make edits are allowed to subscribe. - # Anyone can leave. - if sr and (action != 'sub' or sr.can_comment(c.user)): - self._subscribe(sr, action == 'sub') - @classmethod - def _subscribe(cls, sr, sub): + if not sr: + return abort(404, 'not found') + elif action == "sub" and not sr.can_comment(c.user): + return abort(403, 'permission denied') + try: Subreddit.subscribe_defaults(c.user) - if sub: + if action == "sub": if sr.add_subscriber(c.user): sr._incr('_ups', 1) + else: + # tried to subscribe but user was already subscribed + pass else: if sr.remove_subscriber(c.user): sr._incr('_ups', -1) + else: + # tried to unsubscribe but user was not subscribed + return abort(404, 'not found') changed(sr, True) except CreationError: # This only seems to happen when someone is pounding on the @@ -2906,7 +2911,6 @@ class ApiController(RedditController): # some other proc has already handled this subscribe request. return - @validatedForm(VAdmin(), VModhash(), hexkey=VLength("hexkey", max_length=32),