Don't let non-mods self-assign link flair via /api/flair.

2026-04-05 03:00:15 -04:00 · 2012-04-20 11:37:49 -07:00
parent b6c89a349b
commit d9e21d092c
1 changed files with 1 additions and 3 deletions
--- a/r2/r2/controllers/api.py
+++ b/r2/r2/controllers/api.py
@@ -2136,9 +2136,7 @@ class ApiController(RedditController):
            else:
                site = Subreddit._byID(link.sr_id, data=True)
                # make sure c.user has permission to set flair on this link
-                if not (c.user_is_admin or site.is_moderator(c.user)
-                        or (site.link_flair_self_assign_enabled
-                            and link.author_id == c.user._id)):
+                if not c.user_is_admin and not site.is_moderator(c.user):
                    abort(403, 'forbidden')
        else:
            flair_type = USER_FLAIR