When in an OAuth context, decorated functions
will only be run if the context includes the designated
scope.
When not in an OAuth context, the function is run normally.
Allows token bearer to manipulate user flair, and
the flair of his submitted links
Give /api/setflairenabled "flair" scope
Give /api/flairselector "flair" scope
Previously, the subreddit/domain and account precomputers were separate.
This merges the two and improves their portability in the process.
Because of the increased portability, the precomputer can now be added
to the install script by default.
For simple installs of reddit, g.domain == g.media_domain. If this is
the case, the app will print a warning at startup. However, this
warning was printed to stdout which meant that any jobs (such as the
mr_top stuff) using the output of a reddit process would get this
warning in their data streams. Bad times.
The domain is not "reddit.com" on other sites. This also fixes the issue
of doing concatenation of internationalized strings which is a bad idea.
Fixesreddit/reddit#968.
This is one of the most heavily hit rels currently and the hope is that
pulling it out to its own pool will make the main cache more effective
for everything else. It may make sense to move SRMember to a different
model such as a C* DenormalizedRelation in the future.
When the user is not logged in or has the toolbar disabled, the toolbar
endpoint will turn a link ID36 into a redirect to the submission on
reddit. This redirect includes the slugified title of the post as well
as the subreddit it's in which could lead to a leak of information from
a private subreddit.
This fixes an information disclosure vulnerability reported by Jordan
Milne (/u/largenocream).
This is not strictly necessary as /gold/creditgild is where the
information leak actually occurs, but checking here should help prevent
future leaks of the same type.
This fixes an information disclosure vulnerability reported by Jordan
Milne (/u/largenocream).
Previously, it was possible to generate a payment blob for a comment the
user does not have permission to view (in a private subreddit or
deleted) and then use the creditgild form to see the author and content
of the comment. This adds a check to creditgild to ensure correct
permissions at display time.
This fixes an information disclosure vulnerability reported by Jordan
Milne (/u/largenocream).
