From ff55992ee47cef92919fb6b902bb93a2e329e8c3 Mon Sep 17 00:00:00 2001 From: Chad Birch Date: Sun, 7 Jul 2013 11:48:02 -0600 Subject: [PATCH] Mod invite: Ensure that user is an unlimited mod This was previously being enforced in the frontend but not the API. --- r2/r2/controllers/api.py | 25 ++++++++++++++++--------- 1 file changed, 16 insertions(+), 9 deletions(-) diff --git a/r2/r2/controllers/api.py b/r2/r2/controllers/api.py index b7ace299a..4c7dd2917 100755 --- a/r2/r2/controllers/api.py +++ b/r2/r2/controllers/api.py @@ -726,22 +726,29 @@ class ApiController(RedditController, OAuth2ResourceController): if not container: return + # Don't let banned users make subreddit access changes + if type in self._sr_friend_types and c.user._spam: + return + if type == "moderator" and not c.user_is_admin: # attempts to add moderators now create moderator invites. type = "moderator_invite" fn = getattr(container, 'add_' + type) - # The user who made the request must be an admin or a moderator - # for the privilege change to succeed. - perm = 'wiki' if type.startswith('wiki') else 'access' - if (not c.user_is_admin - and type in self._sr_friend_types - and (not container.is_moderator_with_perms(c.user, perm) - or c.user._spam)): - if c.user._spam: - return + # Make sure the user making the request has the correct permissions + # to be able to make this status change + if type in self._sr_friend_types: + if c.user_is_admin: + has_perms = True + elif type.startswith('wiki'): + has_perms = container.is_moderator_with_perms(c.user, 'wiki') + elif type == 'moderator_invite': + has_perms = container.is_unlimited_moderator(c.user) else: + has_perms = container.is_moderator_with_perms(c.user, 'access') + + if not has_perms: abort(403, 'forbidden') if type in self._sr_friend_types and not c.user_is_admin: