a3x
/
nyaa
mirror of https://gitlab.com/SIGBUS/nyaa.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Comment deletion: fix small lack of validation (#395) 

People could delete their own comments on torrents other than
the one the URL would indicate, which meant they could mess with
the total comment count on a torrent by having it be higher than
it actually is through repeatedly posting and deleting comments
that way.

However, they could only ever delete their own comments, so this
isn't a huge issue in the first place.
This commit is contained in:
Nicolas F 2017-10-29 19:01:19 +01:00 committed by Anna-Maria Meriniemi
parent ca7dc276e2
commit 7095567b29
1 changed files with 3 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
nyaa/views/torrents.py
View File

@ -342,6 +342,9 @@ def delete_comment(torrent_id, comment_id):
if not (comment.user.id == flask.g.user.id or flask.g.user.is_moderator):
flask.abort(403)
if torrent_id != comment.torrent_id:
flask.abort(400)
db.session.delete(comment)
db.session.flush()
torrent.update_comment_count()