Allows token bearer to manipulate user flair, and
the flair of his submitted links
Give /api/setflairenabled "flair" scope
Give /api/flairselector "flair" scope
Previously, the subreddit/domain and account precomputers were separate.
This merges the two and improves their portability in the process.
Because of the increased portability, the precomputer can now be added
to the install script by default.
For simple installs of reddit, g.domain == g.media_domain. If this is
the case, the app will print a warning at startup. However, this
warning was printed to stdout which meant that any jobs (such as the
mr_top stuff) using the output of a reddit process would get this
warning in their data streams. Bad times.
The domain is not "reddit.com" on other sites. This also fixes the issue
of doing concatenation of internationalized strings which is a bad idea.
Fixesreddit/reddit#968.
This is one of the most heavily hit rels currently and the hope is that
pulling it out to its own pool will make the main cache more effective
for everything else. It may make sense to move SRMember to a different
model such as a C* DenormalizedRelation in the future.
When the user is not logged in or has the toolbar disabled, the toolbar
endpoint will turn a link ID36 into a redirect to the submission on
reddit. This redirect includes the slugified title of the post as well
as the subreddit it's in which could lead to a leak of information from
a private subreddit.
This fixes an information disclosure vulnerability reported by Jordan
Milne (/u/largenocream).
This is not strictly necessary as /gold/creditgild is where the
information leak actually occurs, but checking here should help prevent
future leaks of the same type.
This fixes an information disclosure vulnerability reported by Jordan
Milne (/u/largenocream).
Previously, it was possible to generate a payment blob for a comment the
user does not have permission to view (in a private subreddit or
deleted) and then use the creditgild form to see the author and content
of the comment. This adds a check to creditgild to ensure correct
permissions at display time.
This fixes an information disclosure vulnerability reported by Jordan
Milne (/u/largenocream).
Only application devs will be permitted to use password grants,
to discourage widespread use. Password grants are intended
to be a convenience for bots & personal scripts, to encourage
use of OAuth tokens and ease transition to OAuth2.
For more info on password grants, see:
http://tools.ietf.org/html/rfc6749#section-4.3
This will allow for differing handling of permissions based
on application type.
* Web app: Web-hosted application. Can keep a client_secret
* Installed app: e.g., android app. Client secret is not so secret
See also: https://developers.google.com/accounts/docs/OAuth2InstalledApp
* Script: For simple scripts and bots. Client secret is assumed secret.
It is necessary to do this check in V*OrAdminSecret as we cannot (and
should not) require a modhash when the secret token is being used
because this would break API compatibility and isn't necessary.
This fixes two XSRF vulnerabilities reported by Jordan Milne
(/u/largenocream).
These endpoints don't appear to have been used since
reddit/reddit@a07c576d1a and I have
verified via haproxy logs that they are not ever being called.
This fixes two XSRF vulnerabilities reported by Jordan Milne
(/u/largenocream).
